Critical Supply Chain Attack Discovered in Axios NPM Package, Deploying RAT to Developers

Fireship
#npm #axios #supply-chain-attack #rat #javascript-security

A critical supply chain attack has been uncovered targeting Axios, a popular JavaScript HTTP client library with over 100 million weekly downloads on npm. Discovered on March 31st, 2026, this highly sophisticated exploit involved the publication of two different malicious Axios versions to the npm registry. These compromised versions are designed to deploy a precision-guided Remote Access Trojan (RAT) onto developer machines and CI/CD servers, granting attackers unauthorized access to sensitive data such as AWS credentials, OpenAI API keys, and other local files. The incident highlights the severe risks associated with third-party dependencies, even as developers prioritize an improved developer experience (DX) over native platform alternatives like the fetch API, especially since the core Axios source code itself contained no malicious elements.

The attack chain began with the compromise of the Axios project maintainer’s npm account, enabling the publishing of malicious packages under a Proton Mail address using a stolen npm access token. Instead of directly embedding malware, the attacker introduced a rogue dependency named plain-crypto-JS (mimicking the legitimate cryptojs) into the release. This rogue package contained an obfuscated post-install script, acting as a “rat dropper.” This script would first detect the host operating system, then connect to a remote command and control (C2) server to fetch a tailored second-stage RAT payload. Upon download, the payload was written to disk and executed to establish remote access, facilitating credential theft and other malicious activities. Crucially, the dropper meticulously cleaned its tracks by deleting itself, its package.json entries, and removing the post-install script to avoid detection by npm audit. Users are strongly advised to check their package.json for affected Axios versions, verify the presence of plain-crypto-JS in node_modules, and run OS-specific commands to detect the RAT file. If a system is compromised, immediate steps include rolling all API keys and tokens and consulting guides from security experts like Step Security, as simply deleting the RAT is insufficient.