A recent compromise of the widely-used axios HTTP client library provides a stark example of how npm supply chains can be leveraged to drop cross-platform Remote Access Trojans (RATs). Rather than exploiting a vulnerability in application code, the attacker hijacked a maintainer account to inject a malicious dependency, enabling initial access without disrupting normal functionality.

This incident reflects a broader shift toward supply chain attacks that exploit trust relationships and automated developer workflows.

Initial Access and Manipulation of Trust

As explained by Step Security, the attacker compromised the primary maintainer account for axios, changing the associated email address and bypassing the project's standard GitHub Actions CI/CD pipeline. They manually published versions 1.14.1 and 0.30.4 using a stolen npm access token. Because these versions were published under the legitimate maintainer’s account, they appeared indistinguishable from safe releases to the untrained eye.

A critical detail is how the attacker bypassed standard operational patterns. Legitimate axios 1.x releases are published via GitHub Actions using npm's OIDC Trusted Publisher mechanism. The compromised releases broke this pattern, relying entirely on a manual publish with no corresponding GitHub commit or tag.

Execution and Stealth

Instead of altering the axios source code, the attacker injected a single malicious dependency: plain-crypto-js@^4.2.1. This phantom dependency was never imported in the axios codebase. Its sole purpose was to trigger a postinstall hook during npm install.

The injected payload executed as part of the normal installation flow. The obfuscated dropper deployed platform-specific second-stage payloads targeting macOS, Windows, and Linux while establishing communication with a command-and-control (C2) server.

Crucially, the malware was designed to clean up after itself. Immediately after execution, the script deleted its own installation files and swapped its manifest with a clean decoy, erasing its footprint from the node_modules directory. The pipeline or local install completed successfully, with no visible errors or failures, allowing the attack to operate without raising suspicion.

Observations on Attack Design

Three aspects of this attack are notable from a defensive perspective:

1. Pre-staging for Evasion: The attacker published a clean decoy of plain-crypto-js 18 hours in advance to build registry history, followed by the malicious payload. This effectively bypassed "brand-new package" heuristic alerts.
2. Ephemeral Footprints: By utilizing a self-cleaning postinstall script, the attack left practically no trace on the filesystem post-execution. Developers inspecting their local dependencies after the fact would find no obvious indicators of compromise.
3. Process Detachment: The malware orchestrated its execution to orphan its own processes (using commands like nohup), severing parent-child relationships to actively evade simple process attribution.

Implications for Detection

This type of attack challenges conventional security approaches. Traditional Software Composition Analysis (SCA) tools and configuration scanners rely on known CVE databases or static file analysis. However, in the critical window before the malicious packages were universally flagged and taken down by npm, static tools were effectively blind.

The attack falls into a common blind spot: it does not introduce externally identifiable vulnerabilities, and once the postinstall script executes and self-deletes, post-infection static scanning of dependencies is rendered largely useless.

The only observable indicators were behavioral. These include unexpected outbound HTTP requests during an npm install, the spawning of detached background processes, and unauthorized file writes to system directories. Detecting these signals requires visibility into runtime activity rather than reliance on pre-execution analysis.

Observed Indicators of Compromise

The axios supply chain incident produced a consistent set of observable indicators:

• Malicious Packages: axios@1.14.1 and axios@0.30.4
• Injected Dependency: plain-crypto-js@4.2.1
• Network C2: Outbound connections to sfrclak[.]com (Port 8000)
• File System Artifacts:

• macOS: /Library/Caches/com.apple.act.mond
• Windows: %PROGRAMDATA%\wt.exe
• Linux: /tmp/ld.py

Immediate Mitigation Considerations

Organizations using axios that executed installations between March 30 and March 31, 2026, should consider the possibility of system compromise and credential exposure.

Recommended actions include downgrading and pinning axios to known safe versions (1.14.0 or 0.30.3). Because the RAT executes on installation, any system that pulled the malicious packages should not be cleaned in place; it must be rebuilt from a known-good state. Furthermore, teams should rotate all CI/CD secrets, cloud credentials, and developer tokens that were present on affected machines. Moving forward, utilizing the --ignore-scripts flag in automated CI/CD pipelines is a strong defense against malicious postinstall hooks.

Perspective

The axios incident illustrates a growing category of attacks that operate within trusted systems rather than against them. From a defensive standpoint, the key challenge is not just identifying known bad artifacts, but understanding when legitimate tools—like automated package managers—behave in unexpected ways.

Security approaches that incorporate intelligent behavioral analysis and can respond to deviations during execution are better positioned to address this class of threat.

How Sweet Security Can Help

The axios compromise highlights a critical gap in modern cloud and application security: most tools can observe or alert on a suspicious package after it's widely reported, but very few can actively catch the malicious behavior while it is happening.

Attacks like this unfold entirely at runtime. By the time a finding is surfaced by a static scanner, the RAT is already deployed. Closing this gap requires the ability to both understand behavior and intervene immediately.

Sweet Security focuses on enabling that shift:

• Runtime visibility with execution context: Observe how workloads behave during execution, including process activity, file system modifications, and network communication. This provides the context needed to identify when trusted tools are being abused.
• Model-driven behavioral detection: Rather than relying purely on static rules, Sweet uses a learning-based approach to understand normal behavior and detect deviations—such as a node installation process unexpectedly establishing a connection to an external server or spawning detached scripts.
• Real-time remediation during execution: When abnormal behavior is detected, Sweet enables immediate action during runtime, helping stop malicious activity before it can fully deploy a secondary payload or exfiltrate data.‍
• Execution-based investigation context: Provide clear visibility into what actually ran and what it accessed, helping teams investigate incidents like phantom dependency drops and make more informed remediation decisions.