Supply chain attack on Axios npm package: Scope, impact, and remediations

A critical supply-chain compromise of the Axios npm package was discovered: attackers published malicious versions 1.14.1 and 0.30.4 that add a dependency "plain-crypto-js" which uses an npm postinstall hook to run a double-obfuscated dropper (setup.js). The dropper identifies the OS and contacts C2 sfrclak.com:8000 to fetch a platform-specific RAT capable of exfiltrating credentials and API keys; IOCs include the dropper SHA256 e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 and the C2 domain, and the report urges immediate scanning, quarantine, incident response, and secret rotation.