Axios npm account shipped RAT
A compromised axios maintainer account published malicious npm versions 1.14.1 and 0.30.4 on March 31, 2026. Both releases injected plain-crypto-js 4.2.1, whose install path delivered a multi-platform RAT and exposed machines that installed the brief releases.
Story
Just after midnight UTC on March 31, 2026, an attacker with access to the lead maintainer's npm account published two malicious versions of axios, the most widely used HTTP client in the JavaScript ecosystem. The window was narrow, less than three hours, but the dependency graph beneath axios is enormous, and one of the projects that pulled the bad version was OpenAI's macOS app-signing pipeline.
The axios project later published a postmortem describing the entry point as a compromised maintainer workstation reached through a targeted social engineering campaign and a remote access trojan. The attacker did not bother rewriting the library's public API. Instead, axios 1.14.1 and 0.30.4 were published with a new dependency on plain-crypto-js@4.2.1, a helper package the same actor had pushed to npm the day before. A normal fresh install during the window pulled the poisoned axios, then pulled the malicious helper, which installed a multi-platform RAT covering macOS, Windows, and Linux. Operators of affected machines were told to watch for outbound traffic to sfrclak.com or 142.11.206.73 on TCP port 8000.
The clock ran fast. Axios 1.14.1 went live at 00:21 UTC, 0.30.4 followed around 01:00 UTC, community detections started almost immediately, an axios collaborator opened a deprecation PR at 01:38 UTC, and npm pulled the two axios versions by 03:15 UTC, with plain-crypto-js removed at 03:29 UTC. Socket reported a week later that the malicious axios had been pulled into OpenAI's macOS app-signing GitHub Actions workflow, which used a floating tag with no minimumReleaseAge set. OpenAI responded by revoking and rotating its macOS code-signing certificate and rebuilding ChatGPT Desktop, Codex, and Atlas with new credentials, setting a May 8 deadline after which older signed versions would stop working. OpenAI said it found no evidence the signing certificate was actually exfiltrated.
The axios project committed to immutable releases, OIDC publishing, stronger GitHub Actions hygiene, and a release process less dependent on any one personal npm account.
Affected Artifacts
- Observed
- 2026-03-31
- Fixed
- Not listed
- Hashes
-
- sha256:e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
- Evidence
- distribution: npmjs.com/package/axios/v/1.14.1, distribution: npmjs.com/package/axios/v/0.30.4, mirror: github.com/axios/axios, domain: sfrclak.com , +2 more
- The official postmortem says the malicious axios versions were live from 00:21 UTC to 03:15 UTC on March 31, 2026.
- Observed
- 2026-03-30 to 2026-03-31
- Compromised Versions
- Fixed
- Not listed
- Evidence
- distribution: npmjs.com/package/plain-crypto-js/v/4.2.1, observable: Injected as a dependency of axios 1.14.1 and axios 0.30.4., observable: Installed a remote access trojan on macOS, Windows, and Linux.
- The postmortem timeline says plain-crypto-js 4.2.0 was first published on March 30, then 4.2.1 was injected into the malicious axios releases and removed at 03:29 UTC on March 31, 2026.
Incident Context
- Motive
- Backdoor Remote Code Execution
- Attribution
- Group
- Cause
- Compromised Account Credentials
- Transitive
- No
- Actor
- Third Party
External References
Source record: oss/attacks/axios/meta.yaml