Axios supply chain attack: How a compromised npm package delivered RAT malware

On 2026-03-31 malicious Axios npm releases (1.14.1 and 0.30.4) were published and distributed for roughly three hours, pulling a malicious dependency (plain-crypto-js) that executed an obfuscated setup.js to fetch OS-specific RAT payloads from http://sfrclak.com:8000/6202033; the cross-platform implants perform system enumeration, command execution, data exfiltration, and implement persistence on Windows and a Mach-O binary on macOS. The report provides detailed code and behavioral analysis, IOCs (domain, file paths, SHA256 hashes), and remediation steps including rolling back to known-good versions, scanning lockfiles, credential rotation, and network blocking of the C2 domain.