Date: 04/02/2026
Severity: High
Summary
Axios, a popular JavaScript HTTP client with massive weekly downloads, was compromised after an attacker took over the lead maintainer’s npm account. They released two malicious versions (1.14.1 and 0.30.4) embedding a cross-platform remote access trojan (RAT). The attack used a hidden dependency, plain-crypto-js@4.2.1, which ran a postinstall script to install persistent malware across macOS, Windows, and Linux. It then covered its tracks by replacing malicious files with clean-looking decoys. The attacker bypassed GitHub Actions security by publishing directly with a stolen npm token, leaving no repository trace. Although scanners quickly detected the issue and npm removed the packages, the incident exposed serious supply chain and CI/CD security weaknesses.
Indicators of Compromise (IOC) List
Domains/URLs : | sfrclak.com callnrwise.com http://sfrclak.com:8000/6202033 packages.npm.org/product0 packages.npm.org/product1 packages.npm.org/product2 |
IP Address | 142.11.206.73 |
Hash | e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
2553649f2322049666871cea80a5d0d6adc700ca
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
07d889e2dadce6f3910dcbc253317d28ca61c766
|
Filename : | /Library/Caches/com.apple.act.mond %PROGRAMDATA%\wt.exe %TEMP%\6202033.vbs %TEMP%\6202033.ps1 /tmp/ld.py |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "callnrwise.com" or url like "callnrwise.com" or siteurl like "callnrwise.com" or domainname like "http://sfrclak.com:8000/6202033" or url like "http://sfrclak.com:8000/6202033" or siteurl like "http://sfrclak.com:8000/6202033" or domainname like "sfrclak.com" or url like "sfrclak.com" or siteurl like "sfrclak.com" or domainname like "packages.npm.org/product0" or url like "packages.npm.org/product0" or siteurl like "packages.npm.org/product0" or domainname like "packages.npm.org/product1" or url like "packages.npm.org/product1" or siteurl like "packages.npm.org/product1" or domainname like "packages.npm.org/product2" or url like "packages.npm.org/product2" or siteurl like "packages.npm.org/product2" |
Detection Query 2 : | dstipaddress IN ("142.11.206.73") or srcipaddress IN ("142.11.206.73") |
Detection Query 3 : | sha256hash IN ("e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09","fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf","ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c","f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd","617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101")
|
Detection Query 4 : | sha1hash IN ("07d889e2dadce6f3910dcbc253317d28ca61c766","2553649f2322049666871cea80a5d0d6adc700ca","d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71")
|
Detection Query 5 : | resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("/Library/Caches/com.apple.act.mond","%PROGRAMDATA%\wt.exe","%TEMP%\6202033.vbs","%TEMP%\6202033.ps1","/tmp/ld.py") |
Detection Query 6 : | technologygroup = "EDR" and objectname IN ("/Library/Caches/com.apple.act.mond","%PROGRAMDATA%\wt.exe","%TEMP%\6202033.vbs","%TEMP%\6202033.ps1","/tmp/ld.py") |
Reference:
https://www.trendmicro.com/en_us/research/26/c/axios-npm-package-compromised.html