Axios NPM supply chain incident

On March 31, 2026, the official Axios npm package was subject to a supply chain compromise that pushed two malicious releases (v1.14.1 and v0.30.4). The packages added a fake runtime dependency (plain-crypto-js) that runs at post-install and contacts actor infrastructure (142.11.206.73) to download platform-specific RAT payloads for Linux, macOS, and Windows, enabling credential theft and remote access. Cisco Talos advises rolling back to v1.14.0 or v0.30.3, rotating compromised credentials, and investigating systems that installed the malicious versions; indicators provided include the hosting IP, domain (sfrclak.com), and multiple SHA256 hashes for setup and platform payloads.