logo

Axios Attacker Behind Three More Malicious NPM Packages

ID: 562ca049-d55c-526f-95b2-dbcb50eb9470

STIX ID: report--562ca049-d55c-526f-95b2-dbcb50eb9470

Feed Name: OpenSourceMalware Blog

Threat Score
88/100

Date Published: 2026-05-19

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

The report details discovery of three malicious NPM packages (redeem-onchain-sdk, nicegui, period-newline) delivering a cross-platform infostealer tied to the March 2026 Axios compromise: the packages share the XOR key "OrDeR_7077", use multi-layer obfuscation and self-deletion, exfiltrate credentials to C2 at 18.208.244.120:9999 using AES-256-GCM framing, and remained active across April–May 2026; the report includes IOCs, technical analysis, and remediation steps.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.