Axios Got Backdoored — 400M Weekly Downloads, Cross-Platform RAT

This happened today. Axios versions 1.14.1 and 0.30.4 on npm contained a cross-platform RAT. If you installed either version, assume your system is compromised. Rotate every credential immediately. The malicious versions were live for ~3 hours before npm pulled them.

Axios is the most popular HTTP client in JavaScript. Over 400 million weekly downloads. It's in virtually every Node.js project that makes HTTP requests. Today, an attacker published two backdoored versions using stolen npm credentials from the primary maintainer. Within 2 seconds of npm install, a RAT was calling home — before npm had even finished resolving the rest of your dependencies.

One week ago I wrote about LiteLLM getting backdoored via a compromised security scanner. Same pattern, bigger target. Here's what the axios attack actually does.

How They Got In

The attacker obtained a long-lived classic npm access token for the account jasonsaayman — the primary axios maintainer. They changed the account's email to a Proton Mail address under their control (ifstap@proton.me).

Legitimate axios releases use OIDC Trusted Publisher — cryptographically tied to GitHub Actions workflows. The attacker bypassed this entirely by publishing directly with the stolen token. Neither of the malicious versions has a corresponding GitHub commit, tag, or CI run. They were injected straight into npm.

This is the same class of attack as LiteLLM: credential theft → direct registry publish → bypass all code review.

The Malicious Dependency

Both poisoned versions add one new dependency to package.json: plain-crypto-js@4.2.1. This package is never imported anywhere in the axios source code. It exists solely to execute a postinstall script.

The attacker staged a clean version (4.2.0) 18 hours before the attack to establish registry history. Version 4.2.1 added the payload. Both release branches (1.x and 0.x) were hit within 39 minutes of each other.

The Dropper

The postinstall script (setup.js) uses dual-layer obfuscation:

// Layer 1: Reversed Base64 with padding substitution
// Layer 2: XOR cipher (key: "OrDeR_7077", constant: 333)
// Deobfuscated → detects os.platform() → contacts C2 → drops RAT

// C2: http://sfrclak[.]com:8000/6202033
// macOS: POST packages.npm.org/product0
// Windows: POST packages.npm.org/product1
// Linux: POST packages.npm.org/product2

// SHA256 (setup.js): e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09

After execution, it erases its own tracks: deletes setup.js, removes the malicious package.json, and replaces it with a clean version reporting v4.2.0. The evidence self-destructs. If you check your node_modules after the fact, the malicious package looks normal.

The entire payload runs inside a top-level try/catch that silently swallows all errors. npm install always exits successfully, even if the C2 server is down.

Platform-Specific RAT Payloads

macOS

Downloads a binary to /Library/Caches/com.apple.act.mond — spoofing Apple daemon naming. The binary was built from Xcode project macWebT (developer path: /Users/mac/Desktop/Jain_DEV/client_mac/macWebT/). This codename links directly to BlueNoroff's 2023 RustBucket campaign. Classified as NukeSped by 4 independent AV engines — a malware family exclusively attributed to Lazarus/DPRK.

Generates a 16-character victim ID, fingerprints the system, beacons to C2 every 60 seconds using a fake IE8/Windows XP User-Agent (mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)) — the same anomalous string used across BlueNoroff campaigns since 2023. Accepts four commands:

peinject — Decodes Base64 binaries, performs ad-hoc code signing to bypass Gatekeeper
runscript — Executes shell commands or AppleScript
rundir — Enumerates /Applications, ~/Library, ~/Application Support
kill — Self-terminates

SHA256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a

Windows

VBScript downloader copies PowerShell to %PROGRAMDATA%\wt.exe (masquerading as Windows Terminal). Executes hidden PowerShell RAT with execution policy bypass.

Linux

Python RAT downloaded to /tmp/ld.py. Launched as an orphaned background process via nohup python3 — detached from the process tree, reparented to PID 1.

All three variants use nohup and shell backgrounding to daemonize the payload. The processes are orphaned from the npm install process tree, making them invisible to typical process monitoring.

The Timeline

Mar 30, 05:57plain-crypto-js@4.2.0 published (clean decoy to establish registry history).

Mar 30, 23:59plain-crypto-js@4.2.1 published (malicious payload).

Mar 31, 00:21axios@1.14.1 published. 39 minutes before 0.x branch.

Mar 31, ~00:27Socket's security scanner detects the malicious version within 6 minutes.

Mar 31, 01:00axios@0.30.4 published. Both release branches now compromised.

Mar 31, ~03:15npm unpublishes both axios versions.

Mar 31, 03:25npm initiates security hold on plain-crypto-js.

Mar 31, 04:26npm publishes security stub.

Total exposure window: ~3 hours. Axios gets 400 million downloads per week. That's roughly 7,000 downloads per minute. Even a 3-hour window means potentially hundreds of thousands of infected installs — primarily CI/CD pipelines running unpinned dependency updates.

Indicators of Compromise

Type	Indicator
Package	`plain-crypto-js@4.2.1` in node_modules
macOS	`/Library/Caches/com.apple.act.mond`
Windows	`%PROGRAMDATA%\wt.exe`
Linux	`/tmp/ld.py`
Network	`sfrclak[.]com:8000` or `142.11.206.73:8000`
npm account	`nrwise` (`nrwise@proton.me`)

# Check if you're affected
npm ls axios | grep -E "1\.14\.1|0\.30\.4"
find node_modules -name "plain-crypto-js" -type d
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null
ls -la /tmp/ld.py 2>/dev/null
ss -tnp | grep "142.11.206.73"

The Pattern

This is the second major npm supply chain attack in one week. LiteLLM was compromised on March 24 via a poisoned Trivy binary that stole PyPI credentials. Axios was compromised on March 31 via a stolen npm token. Different ecosystems, same playbook:

Steal a maintainer credential (token, password, or session)
Publish directly to the registry (bypass CI/CD, bypass code review)
Inject a malicious dependency (not the package itself — a new dep with a postinstall hook)
Self-destruct (erase evidence after execution)

The sophistication is increasing. LiteLLM's attacker left development history in the code. The axios attacker pre-staged a clean decoy package 18 hours in advance, hit both release branches in 39 minutes, built three OS-specific payloads, and designed the dropper to replace itself with a clean version after execution. This was planned.

What Actually Helps

Pin exact dependency versions in lockfiles. axios@^1.14.0 pulled 1.14.1 automatically.
Use --ignore-scripts by default. The RAT ran via postinstall. No scripts, no RAT.
Enable npm's OIDC Trusted Publisher for your packages. Classic tokens are theft targets.
Monitor for new dependencies in updates. plain-crypto-js appeared from nowhere in a patch release.
Run Socket, Snyk, or StepSecurity in CI. Socket detected this in 6 minutes.

The npm ecosystem has no mechanism to prevent a compromised maintainer from publishing. npm tokens don't expire by default. There's no mandatory 2FA on publish for top packages. There's no "this release looks different from all previous releases" warning. Until that changes, this will keep happening.

Update: Attribution — BlueNoroff / Lazarus Group (North Korea)

Update (March 31, evening): Multiple researchers and Google's threat intelligence team have attributed this attack to BlueNoroff, a subgroup of North Korea's Lazarus Group (also tracked as UNC1069 by Google, APT38 by others). This is a nation-state supply chain attack on open-source infrastructure.

The attribution evidence is strong and multi-layered:

NukeSped classification. Four independent antivirus engines (AVG, Avast, Avira, F-Secure) classified the macOS RAT as Trojan.nukesped — a malware family exclusively attributed to Lazarus. This designation has never appeared in any campaign outside of DPRK-linked operations.

Xcode project name. The macOS binary contains the developer path /Users/mac/Desktop/Jain_DEV/client_mac/macWebT/. The internal codename macWebT connects directly to BlueNoroff's documented webT module from their 2023 RustBucket campaign. This codename has never appeared in any campaign outside BlueNoroff.

Infrastructure overlap. The C2 server 142.11.206.73 sits on Hostwinds AS54290, the same /18 netblock as 12 confirmed Lazarus IPs documented by Hunt.io.

User-Agent fingerprint. All three variants (macOS, Windows, Linux) use the same fake User-Agent: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) — an IE8/Windows XP string on modern systems. This exact string has been used across BlueNoroff campaigns for three years: RustBucket (2023), Hidden Risk (2024), and now Axios (2026).

Broken Linux payload. The Linux RAT's peinject command references an undefined variable at line 156, making binary injection non-functional. This suggests hastily deployed, untested code — consistent with the operational tempo of state-sponsored campaigns that prioritize speed over quality.

This is the same group that stole $1.5 billion from Bybit in February 2025. They fund North Korea's weapons programs through cryptocurrency theft and supply chain attacks. Today they targeted the JavaScript ecosystem's most popular HTTP client.

The npm registry just became a national security concern.