Axios NPM Hijack: Maintainer Account Compromised, RAT Deployed

Overview

On March 31, 2026, two malicious versions of axios were published to npm: [email protected] and [email protected]. Both were published from the compromised npm account of jasonsaayman, the primary maintainer of axios. npm removed both versions after the incident was reported, but the window between publication and takedown was long enough to affect a significant number of installs.

No corresponding commit, tag, or GitHub release exists for either version. The axios project uses GitHub Actions with OIDC Trusted Publisher binding for all official releases, meaning every legitimate publish is traceable to a specific workflow run. These two versions bypassed that entirely — they were pushed directly to the registry using a stolen npm token. The only structural difference from the legitimate releases was a single new entry in the dependency list: plain-crypto-js@^4.2.1, a package with no role in the axios codebase.

Attack Chain

The attack was pre-staged roughly 18 hours before the axios versions were published. A separate attacker-controlled account (nrwise, using [email protected]) uploaded plain-crypto-js to the npm registry. A clean decoy version (4.2.0) was published first to establish registry history and avoid immediate suspicion, followed by the malicious 4.2.1 at 23:59 UTC on March 30.

With the dropper package in place, the attacker changed the email on the jasonsaayman npm account to [email protected] and published [email protected] at 00:21 UTC on March 31, followed by [email protected] at 01:00 UTC — both the active 1.x branch and the legacy 0.x branch were hit within a 39-minute window.

When a developer ran npm install and resolved either malicious axios version, npm also fetched [email protected]. Its postinstall hook executed setup.js, which contacted sfrclak[.]com:8000 and delivered a platform-specific RAT payload:

• macOS — a native binary written to /Library/Caches/com.apple.act.mond, posing as a system cache process and registered for persistence
• Windows — a VBScript stub that silently launches a PowerShell payload, with a renamed interpreter staged at %PROGRAMDATA%\wt.exe to blend in with system processes
• Linux — a Python script dropped to /tmp/ld.py, named to resemble a dynamic linker file

Once the payload was running, setup.js wiped itself from disk and overwrote its own package.json with a harmless stub. Scanning node_modules after the fact will turn up nothing suspicious in the file contents — but the plain-crypto-js directory will still be present, and the RAT will remain active on the host until it is found and the system rebuilt.

Checking for Compromise

Run the following checks on any system that may have installed axios during the affected window. A positive result from any step should be treated as a confirmed compromise.

1 — Check for malicious axios versions

npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"
grep -A1 '"axios"' package-lock.json | grep -E "1\.14\.1|0\.30\.4"

2 — Check for the dropper package

Even if setup.js self-deleted, the directory persists. Its presence alone confirms the dropper ran.

ls node_modules/plain-crypto-js 2>/dev/null && echo "POTENTIALLY AFFECTED"

3 — Check for RAT artifacts on disk

# macOS
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null && echo "COMPROMISED"

# Windows
dir "%PROGRAMDATA%\wt.exe" 2>nul && echo COMPROMISED

# Linux
ls -la /tmp/ld.py 2>/dev/null && echo "COMPROMISED"

Also review install logs and CI pipeline records for any run that pulled axios during the affected window (March 31, 00:21–01:30 UTC). If you ran npm install without --ignore-scripts and your lock file resolved to either affected version, assume execution occurred.

Remediation

Pin to safe versions immediately. For both 1.x and 0.x users:

npm install [email protected]   # 1.x
npm install [email protected]   # 0.x

Add overrides to prevent transitive resolution of the affected versions:

{
  "dependencies": { "axios": "1.14.0" },
  "overrides":    { "axios": "1.14.0" },
  "resolutions":  { "axios": "1.14.0" }
}

Remove the dropper package and reinstall without lifecycle scripts:

rm -rf node_modules/plain-crypto-js
npm install --ignore-scripts

If any RAT artifact is present (com.apple.act.mond, wt.exe, ld.py), do not attempt to clean in place. Treat the system as fully compromised and rebuild from a known-good image.

Regardless of whether RAT artifacts are found, rotate all credentials that were accessible on any affected system — npm tokens, AWS access keys, SSH private keys, CI/CD secrets, and any values stored in .env files. Assume the attacker had full read access to the environment at the time of installation. Adopt npm ci --ignore-scripts as standard policy in all CI/CD pipelines going forward.

IOCs