Compromised axios npm package delivers cross-platform RAT

On 31 March 2026 an attacker hijacked an axios maintainer account and published malicious releases ([email protected] and 0.30.4) that added a typosquatted dependency plain-crypto-js which used a postinstall script to download and execute a cross-platform RAT from sfrclak.com; npm removed the compromised packages within about three hours. The report analyzes the dropper and platform-specific payloads (macOS Mach-O, Windows PowerShell, Linux Python), documents C2 indicators, file and registry artifacts, timeline and mitigation steps, and notes the RAT contained bugs limiting its effectiveness despite the high distribution risk due to axios's popularity.