Hackers Use Poisoned Axios Package and Phantom Dependency to Spread Cross-Platform Malware

One of the most widely used JavaScript libraries in the world was turned into a weapon on March 30, 2026, when attackers poisoned the Axios npm package and silently deployed malware on developer machines running Windows, macOS, and Linux.

With over 100 million weekly downloads, Axios is the most popular HTTP client in the JavaScript ecosystem, making this supply chain attack one of the most far-reaching incidents of its kind.

The attack began when an unauthorized actor gained control of the npm account belonging to Jason Saayman, the lead maintainer of the Axios project.

The account’s email was quietly swapped to an attacker-controlled ProtonMail address, giving the intruder full admin-level access.

Using a stolen npm access token, the attacker manually published two poisoned versions — [email protected] and [email protected] — within 39 minutes of each other, covering both the current and legacy release branches.

Neither version has any matching commit, tag, or release in the official Axios GitHub repository.

Peter Girnus and Jacob Santos, Trend Micro researchers conducted a forensic examination of the attack, uncovering its complete infection chain and the extent of its damage.

Their analysis found that the threat had already reached organizations across government, finance, healthcare, manufacturing, retail, and technology sectors at the time of their investigation. Telemetry also confirmed active exploitation during the attack window.

Both poisoned versions contained a single new addition to their package manifest: [email protected], a phantom dependency.

This package was never imported or referenced anywhere in the Axios source code — across all 86 files — and existed purely to trigger npm’s automatic postinstall hook during installation.

Once that hook fired, it dropped a cross-platform remote access trojan (RAT) onto the victim’s machine. After execution, the malware deleted its own dropper script and swapped in a clean decoy, leaving the node_modules folder looking completely normal.

The operation was staged with precision over roughly 18 hours. The attacker first published a clean decoy version of plain-crypto-js to build registry history and avoid raising alarms, then registered the command-and-control server hours later before pushing the malicious payload.

The attack also bypassed GitHub Actions’ OIDC Trusted Publisher safeguards — a control that normally binds npm releases to verified CI workflows — by publishing manually with a stolen token, leaving no cryptographic binding or gitHead reference in the metadata.

Inside the RAT Dropper

The dropper, setup.js, used a two-layer obfuscation system to hide its logic from automated scanners. The inner layer applied a custom XOR cipher with the key “OrDeR_7077” and a quadratic index pattern to scramble character-access sequences.

The outer layer reversed encoded strings, restored base64 padding, and passed the result through the inner cipher.

All module names — covering file system access, shell execution, and platform detection — were decoded at runtime through dynamic require() calls, making them invisible to static analysis tools.

Once running, the dropper detected the operating system and launched a matching payload. On macOS, it fetched a binary via AppleScript and saved it under a path mimicking an Apple system daemon.

On Windows, it used a VBScript launcher to run a PowerShell RAT entirely in memory, using a renamed PowerShell binary disguised as Windows Terminal, with no payload written to disk.

On Linux, it downloaded a Python RAT and launched it as a detached background process orphaned to PID 1, surviving past the npm install session.

The C&C server, sfrclak[.]com, was registered just eight hours before the payload went live — a disposable infrastructure choice designed to limit the attacker’s exposure.

Developers who installed the affected versions should immediately pin to [email protected] or [email protected] and remove the plain-crypto-js directory from node_modules.

Any system where RAT artifacts are found should be rebuilt from a known-good state rather than cleaned in place. All credentials accessible during the exposure window — npm tokens, cloud keys, CI/CD secrets, and SSH keys — must be rotated without delay.

Using npm ci –ignore-scripts in CI/CD pipelines blocks postinstall hooks, removing the core execution path this attack relied on. Blocking sfrclak[.]com at the network level is also strongly recommended.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.