logo

Malicious Transitive Dependency in Axios Affects Millions of Users

ID: 3936322e-9a0b-5509-b8a2-4b038aa54117

STIX ID: report--3936322e-9a0b-5509-b8a2-4b038aa54117

Feed Name: OpenSourceMalware Blog

Threat Score
90/100

Date Published: 2026-03-31

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

This analysis documents a supply-chain attack that injected a malicious npm package (plain-crypto-js) into axios releases, using a postinstall setup.js to deploy multi-platform RATs (Windows PowerShell reflective injection, Linux Python RAT, macOS universal binary), communicate with C2 at sfrclak.com:8000, perform extensive reconnaissance and exfiltration, and use obfuscation and self-deletion to evade analysis; the report provides timeline, IOCs, detection rules (YARA/Snort/OSQuery), and containment and long-term mitigations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.