Researchers found that compromised Axios versions installed a Remote Access Trojan.
Axios is a promise-based HTTP Client for node.js, basically a helper tool that developers use behind the scenes to let apps talk to the internet. For example, Axios makes requests such as “get my messages from the server” or “send this form to the website” easier and more reliable for programmers and it saves them from having to write a lot of low‑level networking code themselves.
Since it works both in the browser and on servers (Node.js), a lot of modern JavaScript‑based projects include it as a standard building block. Even if you never install Axios yourself, you might indirectly run into it when you:
- Use web apps built with frameworks like React, Vue, or Angular.
- Use mobile apps or desktop apps built with web technologies like Electron, React Native, and others.
- Visit smaller Software-as-a-Service (SaaS) tools, admin panels, or self‑hosted services built by developers who picked Axios.
You could compare it to the plumbing in your house. Usually you don’t notice the pipes, but they bring the water to where you open a faucet. And you don’t need to know where they are until a leak occurs.
What happened?
Using compromised credentials of a lead maintainer of Axios an attacker published poisoned packages to npm: [email protected] and [email protected]. The malicious versions inject a new dependency, [email protected], which is never imported anywhere in the axios source code.
Together the two affected packages reach up to 100 million weekly downloads on npm, which means it has a huge impact radius across web apps, services, and pipelines.
It is important to note that the affected Axios version does not appear in the project’s official GitHub tags. This means that the people and projects affected are developers and environments which ran npm install that resolved to:
[email protected]or[email protected], or- the dependency
[email protected].
Any workflow that installed one of those versions with scripts enabled may have exposed all injected secrets (cloud keys, repo deploy keys, npm tokens, etc.) to an interactive attacker, because the postinstall script (node setup.js) that runs automatically on npm install downloaded an obfuscated dropper that retrieves a platform‑specific RAT payload for macOS, Windows, or Linux.
If you are a developer deploying Axios, treat any machine that installed the bad versions as potentially fully compromised and rotate secrets. The attacker may have obtained repo access, signing keys, API keys, or other secrets that can be used to backdoor future releases or attack your backend and users.
Users apps built with Axios do not have any direct reason to worry. If you’re just loading your app in a browser you’re not directly executing this RAT via Axios. The infection path is the install/build step, not app runtime.
Indicators of Compromise (IOCs)
As the rsearchers pointed out the malware dropper cleans up after itself:
“Any post-infection inspection of node_modules/plain-crypto-js/package.json will show a completely clean manifest. There is no postinstall script, no setup.js file, and no indication that anything malicious was ever installed. Running npm audit or manually reviewing the installed package directory will not reveal the compromise.”
What you can look for, then, are these IOCs:
Domain: sfrclak[.]com
IP address: 142.11.206.73
(both blocked by Malwarebytes products)
Files:
- macOS: /Library/Caches/com.apple.act.mond
- Linux: /tmp/ld.py
- Windows: %PROGRAMDATA%\wt and %TEMP%\6202033.vbs/.ps1 which only exist briefly during execution
Malicious npm packages:
[email protected] sha-256 checksum: 2553649f2322049666871cea80a5d0d6adc700ca
[email protected] sha-256 checksum: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
[email protected] sha-256 checksum: 07d889e2dadce6f3910dcbc253317d28ca61c766
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.