The Axios npm supply chain incident: fake dependency, real backdoor

On 2026-03-31 attackers published two trojanized Axios npm versions that introduced a malicious dependency ([email protected]) whose postinstall dropper fetched OS-specific RAT payloads; though the packages were removed within hours, multiple detections occurred across developer workstations and Docker containers. The report documents the Windows infection chain (PowerShell renamed to C:\ProgramData\wt.exe, 6202033.vbs/6202033.ps1 second-stage scripts, registry persistence via MicrosoftUpdate), provides IOCs (hashes, domains, IPs, URL), KQL hunting queries for detection, and recommended containment and remediation steps.