Supply Chain Attacks Surge in March 2026

On 2026-03-30 researchers discovered an account-takeover supply-chain compromise of the Axios NPM package (affected versions 1.14.1 and 0.30.4) where attackers published malicious releases that add a hidden dependency (plain-crypto-js) containing a postinstall script to deploy a cross-platform RAT; the malware contacts C2 at sfrclak.com (and IP 142.11.206.73), fetches platform payloads, and attempts to cover its tracks by removing traces and restoring a clean package.json. Recommended mitigations include removing compromised packages, downgrading to known-good versions, revoking tokens, enforcing MFA, restricting package manager access in CI, and scanning/isolating potentially impacted systems.