Axios, the very popular HTTP client library, was compromised for three hours on March 30th. First reported by Step Security, the impacted versions have been removed from the NPM registry to stop the spread. Semgrep released rules for these compromised packages and customers can review their dashboard or look at the advisories page to see if any of their projects have installed these package versions recently, you can also look for any project that leverages the axios dependency.
The compromised packages were the following versions:
plain-crypto-js@4.2.1
axios@1.14.1
axios@0.30.4
The impacted Axios packages were injected with a malicious dependency plain-crypto-js@4.2.1, which silently deploys a cross-platform RAT (Remote Access Trojan) via a postinstall hook. Within ~15 seconds of npm install, the malware fingerprints the OS, downloads a platform-specific payload (PowerShell for Windows, Python for Linux, native Mach-O binary for macOS), establishes persistence, and begins beaconing system info and file listings to C2 at sfrclak.com:8000 every 60 seconds. The attacker gains arbitrary code execution, file enumeration, and process injection capabilities on compromised machines. See: “One of the most popular JavaScript packages on earth Axios has been compromised” and “Step Security: axios Compromised on npm” for a detailed breakdown.
Axios is a popular package which many other packages are dependent on, therefore if you installed any package which may have included the axios@latest or the specific version this may have installed the RAT onto a machine. This includes in places like VSCode Extensions or installing packages locally.
If you are affected, assume all system credentials are compromised, you should quarantine the affected machines and rotate any credentials.
Detecting Compromise: File System Artifacts by Platform
The dropper self-destructs after execution. It deletes setup.js, removes the original package.json, and renames a pre-staged clean stub into its place. This means a post-infection inspection of node_modules/plain-crypto-js/ will look completely clean. The directory's mere existence is sufficient evidence the dropper ran, since plain-crypto-js is not a dependency of any legitimate axios version.
Each platform receives a different persistent artifact:
Platform | Persistent artifact | Description |
|---|---|---|
macOS |
| RAT binary. The path mimics Apple's reverse-DNS daemon naming in a system directory rarely checked during IR. |
Windows |
| A copy of |
Linux |
| Python RAT script executed via |
On all platforms, the RAT beacons system info to sfrclak[.]com:8000 every 60 seconds. Check for active connections with lsof -i -nP | grep sfrclak (macOS/Linux) or netstat -ano | findstr "142.11.206.73" (Windows). The attacker uses nohup to orphan the RAT process to PID 1, so it survives after npm install completes and persists across CI/CD workflow steps.
EDR and Network Detection
For network-level detection, the key signatures are HTTP POST requests to sfrclak[.]com:8000/6202033 with a body containing packages.npm.org/product0 (macOS), product1 (Windows), or product2 (Linux). These POST body strings are designed to look like benign npm registry traffic at a glance. Note that packages.npm.org is not the actual npm registry. It belongs to the National Association of Pastoral Musicians.
On the endpoint side, the distinctive behavioral signal is node spawning curl, osascript, cscript, or python3 as child processes from a working directory inside node_modules/. On Windows specifically, watch for powershell.exe being copied to %PROGRAMDATA%\wt.exe and for cscript.exe launching from a node.exe parent.
YARA rules covering the obfuscated setup.js dropper and per-platform artifacts, as well as Snort rules for C2 domain, IP, URI, and POST body fingerprints, are already circulating and can help determine if you've been affected by this attack.
Cleaning Caches and Artifactories
The compromised versions have been removed from the public npm registry, but copies may persist in local caches, private registries, and CI/CD layers. Run npm cache clean --force on any machine or runner that executed npm install during the compromise window (March 30 23:00 UTC – March 31 ~04:00 UTC). Do the same for Yarn (yarn cache clean) and pnpm (pnpm store prune). If your organization operates a caching proxy or private registry (JFrog Artifactory, Sonatype Nexus, Verdaccio, AWS CodeArtifact, GitHub Packages, etc.) search for and delete cached copies of axios@1.14.1, axios@0.30.4, and plain-crypto-js@4.2.1. Consider adding those versions to your registry's block list to prevent re-caching.
Don't forget CI/CD caches (invalidate node_modules cache keys created during the window), Docker images built during that period (which may have the malicious packages baked into layers), and vendored dependencies. Socket identified packages like @shadanai/openclaw and @qqbrowser/openclaw-qbot that bundled the compromised axios transitively. After cleanup, pin your lockfiles to axios@1.14.0 (1.x) or axios@0.30.3 (0.x), add overrides/resolutions blocks, and run a fresh npm ci --ignore-scripts to verify plain-crypto-js does not appear in your resolved tree.
Overager IDE Extensions Can Pull Malicious Dependencies Too
Even if developers had pinned versions with lockfiles, compromise is possible via IDE extensions. For example, the NX Console extension for VSCode will automatically pull package dependencies when it is opened for a project. Regardless of the specified version, the extension will fetch the latest from the registry. For the window of exposure with axios, that means it could have pulled down the transitive dependency plain-crypto-js which ran a postinstall hook installing the malware.
This could be detected with an EDR provider, that said checking lockfiles may not be sufficient to conclude if impacted.
.jpg)
