Hackers Use Poisoned Axios Package and Phantom Dependency to Spread Cross-Platform Malware
On March 30, 2026, a significant supply chain attack targeted the widely used JavaScript library Axios, a critical component for web developers worldwide. Attackers compromised the official npm account for the Axios project, introducing poisoned versions that silently delivered cross-platform malware to developer machines running Windows, macOS, and Linux. With over 100 million weekly downloads, Axios’s immense popularity made this breach one of the most far-reaching incidents of its kind within the software development ecosystem. The attack exploited a vulnerability in the npm dependency management system, highlighting ongoing risks in the open-source software supply chain.
The incident began when an unauthorized actor gained administrative control over the npm account of Jason Saayman, the lead maintainer of the Axios project. This unauthorized access was facilitated by a quietly swapped email address, directing account-related communications to an attacker-controlled ProtonMail address. Using a stolen npm access token, the intruder then manually published two malicious versions, specifically [email protected] and [email protected]. These versions were released within a 39-minute window, targeting both the current and legacy release branches of the library. Notably, these published versions lacked any corresponding commits, tags, or releases in the official Axios GitHub repository, indicating a sophisticated and clandestine operation.
Trend Micro researchers Peter Girnus and Jacob Santos conducted a detailed forensic examination, uncovering the full infection chain and mapping the extent of the damage. Their analysis revealed that by the time their investigation commenced, the malware had already infiltrated organizations across various critical sectors, including government, finance, healthcare, manufacturing, retail, and technology. Telemetry data further confirmed active exploitation during the attack window, underscoring the immediate threat posed by these poisoned packages.
Inside the Supply Chain Attack: Phantom Dependency and Cross-Platform Malware
Both poisoned versions of Axios contained a single, seemingly innocuous addition to their package manifest: [email protected]. This was not a direct import or reference within the Axios source code but rather a “phantom dependency.” Its sole purpose was to leverage npm’s automatic post-install hook, a script that executes automatically after a package is installed. This mechanism was exploited to deploy a cross-platform remote access trojan (RAT) onto the victim’s machine. Once activated, the malware meticulously deleted its own dropper script and replaced it with a clean, decoy file, leaving the node_modules directory appearing entirely normal and thus evading initial detection.
The attack was meticulously orchestrated over approximately 18 hours. The threat actor first published a clean version of plain-crypto-js to establish a legitimate registry history, aiming to avoid immediate suspicion. Subsequently, the command-and-control server was registered, followed by the deployment of the malicious payload. This operation also managed to circumvent GitHub Actions’ OIDC Trusted Publisher safeguards, a security feature designed to bind npm releases to verified CI workflows. By publishing manually with a stolen token, the attackers bypassed these checks, leaving no cryptographic binding or gitHead reference in the metadata that would typically link a release to a verified source.
The dropper script, identified as setup.js, employed a dual-layer obfuscation technique to evade automated security scanners. The inner layer utilized a custom XOR cipher with the key “OrDeR_7077” and a quadratic index pattern to scramble character sequences. The outer layer then reversed encoded strings, restored base64 padding, and processed the result through the inner cipher. Crucially, all module names, including those for file system access, shell execution, and platform detection, were dynamically decoded using require() calls at runtime. This technique made the malicious code invisible to static analysis tools, significantly increasing its stealth.
Upon execution, the dropper identified the victim’s operating system to launch a targeted payload. On macOS systems, it downloaded a binary via AppleScript and saved it to a location mimicking an Apple system daemon. For Windows machines, a VBScript launcher was used to execute a PowerShell RAT entirely in memory. This PowerShell binary was disguised as Windows Terminal, ensuring no trace of the payload was written to disk. On Linux systems, a Python RAT was downloaded and launched as a detached background process, orphaned to PID 1, allowing it to persist even after the npm install session concluded. The command-and-control server, sfrclak[.]com, was registered only eight hours before the payload went live, a common tactic to limit the attacker’s exposure and traceability by using disposable infrastructure.
Developers who may have installed the affected versions of Axios ([email protected] or [email protected]) are strongly advised to immediately revert to known-good versions, specifically pinning to [email protected] or [email protected]. It is also recommended to manually remove the plain-crypto-js directory from the node_modules folder. For any system where RAT artifacts are detected, a complete rebuild from a trusted source is the safest course of action, rather than attempting in-place cleaning. All sensitive credentials, including npm tokens, cloud keys, CI/CD secrets, and SSH keys, that were accessible during the period of exposure must be rotated without delay. Implementing “npm ci –ignore-scripts” in CI/CD pipelines is a proactive measure that blocks postinstall hooks, effectively neutralizing the core execution path exploited in this attack. Furthermore, blocking the malicious command-and-control domain, sfrclak[.]com, at the network level is a critical step for immediate defense.