Malicious Transitive Dependency in Axios Affects Millions of Users
ID: 3936322e-9a0b-5509-b8a2-4b038aa54117
STIX ID: report--3936322e-9a0b-5509-b8a2-4b038aa54117
Feed Name: OpenSourceMalware Blog
Date Published: 2026-03-31
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
This analysis documents a supply-chain attack that injected a malicious npm package (plain-crypto-js) into axios releases, using a postinstall setup.js to deploy multi-platform RATs (Windows PowerShell reflective injection, Linux Python RAT, macOS universal binary), communicate with C2 at sfrclak.com:8000, perform extensive reconnaissance and exfiltration, and use obfuscation and self-deletion to evade analysis; the report provides timeline, IOCs, detection rules (YARA/Snort/OSQuery), and containment and long-term mitigations.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
