100M Weekly Downloads at Risk: The Axios Cross-Platform RAT Backdoor

On March 31, 2026, the JavaScript ecosystem experienced one of the most operationally sophisticated supply chain attacks ever documented. Threat actors compromised the primary maintainer account of axios - the most popular HTTP client library in the world, boasting over 100 million weekly downloads - and manually published two malicious versions (1.14.1 and 0.30.4) directly to the npm registry.

The malicious releases completely bypassed the project's standard GitHub Actions CI/CD pipelines. They injected a phantom dependency designed to execute a cross-platform Remote Access Trojan (RAT) dropper the moment a developer or CI server ran npm install.

Bypassing CI/CD: The Maintainer Account Hijack

The attackers successfully compromised the jasonsaayman npm account, the primary maintainer of the axios project. By altering the account's registered email to an attacker-controlled ProtonMail address, they gained the ability to publish malicious builds across both the 1.x and 0.x release branches simultaneously.

A critical forensic signal was immediately apparent in the npm registry metadata. Legitimate axios 1.x releases are published via GitHub Actions using npm’s OIDC Trusted Publisher mechanism. This cryptographically ties the publish event to a verified GitHub workflow. The malicious 1.14.1 version broke this pattern entirely. It was published manually via a stolen npm access token with no OIDC binding and no corresponding GitHub commit or tag. The release existed only on npm.

The Phantom Dependency Injection

The attackers did not inject a single line of malicious code into the actual axios source files. Instead, they pre-staged a malicious package on npm called plain-crypto-js@4.2.1 from a separate throwaway account.

They then published the compromised axios versions with plain-crypto-js: "^4.2.1" added as a runtime dependency. A simple grep across the axios source code confirms that plain-crypto-js is never imported or utilized anywhere in the codebase. It was added to the manifest for one single purpose: to trigger a malicious postinstall hook.

The Execution: A Cross-Platform RAT Dropper

When a developer or CI/CD runner executed npm install axios@1.14.1, npm resolved the dependency tree and automatically installed plain-crypto-js. This immediately triggered a postinstall script that launched a heavily obfuscated dropper.

The dropper assessed the host operating system and branched into one of three platform-specific attack paths:

• macOS: Dropped an AppleScript file to the system temp directory that contacted the Command and Control (C2) server (sfrclak.com:8000). It downloaded a macOS RAT binary, saved it to a disguised system cache directory (/Library/Caches/com.apple.act.mond), and launched it via the Z shell.
• Windows: Executed a VBScript to run a fully hidden cmd.exe window, returning a PowerShell RAT script that executed with execution policies bypassed.
• Linux: Executed a direct shell command via Node.js’s execSync, fetching a Python RAT script saved to /tmp/ld.py and executed in the background.

Advanced Anti-Forensic Evasion

After successfully launching the platform payload, the dropper executed a series of forensic cleanup steps to erase its tracks. It deleted its own setup.js file, deleted the package.json that contained the incriminating postinstall hook, and replaced it with a pre-staged, clean stub.

Post-infection, any developer manually inspecting the node_modules/plain-crypto-js/package.json file would see a completely clean manifest. Standard npm audit checks would reveal nothing amiss.

Immediate Remediation Steps

The malicious versions were live on the npm registry for approximately 2.5 hours before npm intervened and unpublished them. If your CI/CD pipelines or local development environments installed axios@1.14.1 or axios@0.30.4 during this window, you must assume your system is compromised.

1. Downgrade your axios version back to the safe, legitimate releases (1.14.0 for the 1.x branch, or 0.30.3 for the 0.x branch) and pin them.
2. Add an overrides and resolutions block to your package manifests to permanently prevent transitive resolution back to the malicious versions.
3. Do not attempt to clean a compromised machine in place. Rebuild from a known-good state.
4. Rotate all credentials, npm tokens, AWS access keys, SSH private keys, and environment variables that were present on any system where the malicious package executed.
5. Implement npm ci --ignore-scripts as a standing policy in your automated pipelines to prevent postinstall hooks from running.

Intercepting Execution-Layer Threats with FailSafe

The axios compromise highlights a critical flaw in modern software development: static code analysis and traditional dependency scanners fail to catch execution-layer supply chain attacks. By the time a vulnerability is officially cataloged and published to an audit database, the damage is already done.