Axios NPM Distribution Compromised in Supply Chain Attack

On 2026-03-31 an unknown actor compromised an axios maintainer and published malicious [email protected] and @0.30.4 that added a trojanized dependency (plain-crypto-js); the dropper (setup.js) fetched cross-platform second-stage RATs from sfrclak.com:8000, enabling reconnaissance, remote shell, persistence, and beaconing. Although malicious versions were removed within hours, axios's ubiquity (present in ~80% of cloud and code environments and ~100M weekly downloads) produced measurable execution (~3% of affected environments); the report includes comprehensive IOCs, remediation steps (audit usage, rotate secrets, investigate pipelines), and detection guidance.