Threat Brief: Widespread Impact of the Axios Supply Chain Attack

Unit 42 details a supply-chain attack on the Axios npm package in which attacker-controlled releases (v1.14.1 and v0.30.4) injected a malicious dependency (plain-crypto-js) that runs an obfuscated postinstall dropper to retrieve platform-specific RAT payloads (macOS C++ Mach-O, Windows PowerShell, Linux Python). The cross-platform RAT beacons to a C2 (sfrclak.com:8000), supports commands for execution and persistence, and performs cleanup to hide traces; the report includes IoCs, affected sectors, detections/XQL for Cortex XDR, and recommended mitigations including downgrading/pinning Axios, rotating credentials, and blocking C2 traffic.