On March 30-31, 2026, the cybersecurity world witnessed what will likely go down in history as one of the most successful software supply chain attacks ever executed. The ubiquitous axios NPM package—a heavily relied-upon HTTP client downloaded over 40 million times a week—was successfully compromised after threat actors locked the core maintainer out of their accounts.
This breach allowed attackers to inject a highly sophisticated, multi-platform Remote Access Trojan (RAT) into countless development pipelines and production environments. Here at Threat Landscape, we are breaking down the anatomy of this massive compromise, the technical tradecraft utilized by the threat actors, and the specific Tactics, Techniques, and Procedures (TTPs) deployed in the wild.
The Attack Vector: A Two-Front Compromise
The incident initiated when attackers managed a dual-account takeover targeting Jason Saayman, the NPM and GitHub maintainer for the Axios project. By bypassing the standard GitHub Actions OIDC provenance signing process, the threat actor directly published malicious versions of Axios (v1.14.1 and v0.30.4) using stolen credentials via the NPM CLI.
These malicious releases introduced a newly created dependency: plain-crypto-js. Carefully named to blend in with legitimate cryptographic libraries via combosquatting, plain-crypto-js served as the Trojan horse. Once a developer or automated CI/CD pipeline installed the compromised Axios package, npm's automatic postinstall hook seamlessly triggered a heavily obfuscated execution script (node setup.js).
The Payload: Multi-Platform Sophistication
The threat actors demonstrated professional-grade tradecraft. The initial dropper script utilized multiple layers of obfuscation, including Base64 encoding, string reversal, and double XOR encryption to hide its true intent. Once deobfuscated in memory, the script identified the victim's operating system and pulled down a platform-specific Stage 2 RAT from a Command and Control (C2) server (sfrclak.com over HTTP port 8000).
- Windows: The malware deployed an 11 KB PowerShell RAT capable of reflective DLL injection, establishing persistence via a Registry Run key deceitfully named
MicrosoftUpdate. - macOS: The attackers dropped a Mach-O universal binary (supporting both Intel and Apple Silicon architectures) into
/Library/Caches/com.apple.act.mond, masquerading as a native Apple daemon process. - Linux: The script executed a Python RAT that conducted extensive system reconnaissance, tracked parent processes, and prepared the host for remote code execution.
Across all affected operating systems, the RAT immediately initiated comprehensive file system enumeration, aggressively targeting sensitive directories like .ssh, .aws, and local documents. This behavior heavily suggests an espionage or credential-theft motive rather than a financially driven cybercrime campaign.
Tactics, Techniques, and Procedures (TTPs)
To help security teams model and hunt for this threat, we have mapped the attacker's behaviors to the MITRE ATT&CK framework:
| Tactic | Technique | MITRE ID | Description of Observed Behavior |
|---|---|---|---|
| Initial Access | Supply Chain Compromise | T1195.002 | Attackers took over the maintainer's NPM and GitHub accounts to publish malicious Axios versions containing the rogue plain-crypto-js dependency. |
| Execution | Command and Scripting Interpreter | T1059 | Leveraged the npm postinstall hook (node setup.js), alongside PowerShell, Python, and AppleScript to execute the multi-stage payloads. |
| Persistence | Boot or Logon Autostart Execution | T1547.001 | Added a persistence mechanism via HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate on Windows victims. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Utilized Base64 encoding, string reversal, and position-dependent XOR encryption to hide the initial setup script. |
| Defense Evasion | Indicator Removal on Host | T1070.004 | The initial setup.js script deleted itself (fs.unlink) and altered package.json to evade post-mortem forensic analysis. |
| Defense Evasion | Reflective Code Loading | T1620 | Utilized reflective DLL injection for the Windows payload to run the .NET RAT entirely in memory. |
| Discovery | System Information / Process / File Discovery | T1082 / T1057 / T1083 | The RAT actively gathered hardware fingerprints, running processes (to spot EDRs), and enumerated target directories (e.g., .ssh). |
| Command and Control | Application Layer Protocol / Non-Standard Port | T1071.001 / T1571 | Beaconed over unencrypted HTTP on port 8000 (sfrclak.com:8000) using an antiquated IE8 User-Agent string to bypass modern inspection and SSL pinning. |
Remediation and Looking Ahead
While the active window of compromise only lasted roughly 3 hours and 19 minutes before NPM administrators revoked the tokens and pulled the packages, the sheer ubiquity of Axios means the blast radius is vast.
Organizations must assume compromise if Axios v1.14.1 or v0.30.4 was built or deployed in any environment. Remediation requires isolating affected systems, hunting for the documented IOCs, aggressively rotating all credentials, and vetting all transitive dependencies.
This event is a stark reminder of the inherent vulnerabilities within the open-source trust model. Enforcing strict lock files (npm ci), employing Software Composition Analysis (SCA), and disabling automatic npm lifecycle scripts (ignore-scripts=true in .npmrc) are no longer just best practices—they are mandatory survival tactics in the modern threat landscape.
Source Reference: The technical details and forensic timeline in this post were sourced directly from the primary threat report published by OpenSource Malware: One of the most popular JavaScript packages on earth Axios has been compromised.