Axios: Attackers hijack Axios npm account to spread RAT malware

Axios npm Account Hijacked to Distribute Cross-Platform RAT Malware

On March 31, 2026, threat actors compromised the npm account of Axios, a widely used JavaScript library with over 100 million weekly downloads, to distribute remote access trojan (RAT) malware across Linux, Windows, and macOS. The supply chain attack was detected by security firms Aikido Security and Socket after malicious versions of Axios (1.14.1 and 0.30.4) were published without proper OIDC verification or matching GitHub commits.

Attackers likely gained access through the compromised npm account of maintainer Jason Saayman, injecting a malicious dependency (plain-crypto-js) that deployed a cross-platform RAT. The malware used obfuscation techniques and a post-install script to execute automatically, downloading a second-stage payload tailored to the victim’s OS. On macOS, researchers confirmed the delivery of a fully functional RAT capable of system reconnaissance, C2 communication, and command execution.

To evade detection, the malware deleted its own traces after execution, restoring the package to appear clean. The attack window was brief, but given Axios’ 400 million monthly downloads, the potential impact was significant.

Security researchers also identified two additional malicious packages @shadanai/openclaw and @qqbrowser/openclaw-qbot that spread the same malware via hidden dependencies. These packages leveraged automated build pipelines to propagate the infection, demonstrating how a single compromised dependency can rapidly affect downstream projects.

Indicators of compromise (IOCs) were provided by Socket and Aikido Security to help detect affected systems. While the attack was contained quickly, organizations using Axios were advised to verify installations for the malicious versions or artifacts.

Source: https://securityaffairs.com/190221/security/attackers-hijack-axios-npm-account-to-spread-rat-malware.html

Axios cybersecurity rating report: https://www.rankiteo.com/company/axios-media

"id": "AXI1775003215",
"linkid": "axios-media",
"type": "Cyber Attack",
"date": "2/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Potentially widespread due to '
                                              "Axios' usage in downstream "
                                              'projects',
                        'industry': 'Software Development',
                        'name': 'Axios',
                        'size': 'Over 100 million weekly downloads, 400 '
                                'million monthly downloads',
                        'type': 'JavaScript Library'}],
 'attack_vector': 'Compromised npm account',
 'customer_advisories': 'Organizations using Axios advised to verify '
                        'installations',
 'date_detected': '2026-03-31',
 'description': 'On March 31, 2026, threat actors compromised the npm account '
                'of Axios, a widely used JavaScript library with over 100 '
                'million weekly downloads, to distribute remote access trojan '
                '(RAT) malware across Linux, Windows, and macOS. The supply '
                'chain attack was detected by security firms Aikido Security '
                'and Socket after malicious versions of Axios (1.14.1 and '
                '0.30.4) were published without proper OIDC verification or '
                'matching GitHub commits. Attackers injected a malicious '
                'dependency (plain-crypto-js) that deployed a cross-platform '
                'RAT using obfuscation and a post-install script to execute '
                'automatically. The malware downloaded a second-stage payload '
                'tailored to the victim’s OS, with confirmed delivery of a '
                'fully functional RAT on macOS capable of system '
                'reconnaissance, C2 communication, and command execution. The '
                'attack was brief but had significant potential impact due to '
                "Axios' 400 million monthly downloads.",
 'impact': {'brand_reputation_impact': 'Potential significant impact due to '
                                       'widespread use of Axios',
            'systems_affected': 'Linux, Windows, macOS'},
 'initial_access_broker': {'entry_point': 'Compromised npm account of '
                                          'maintainer Jason Saayman'},
 'investigation_status': 'Contained',
 'post_incident_analysis': {'root_causes': 'Compromised npm account, lack of '
                                           'OIDC verification, unmatched '
                                           'GitHub commits'},
 'recommendations': 'Verify installations for malicious versions or artifacts, '
                    'monitor for IOCs provided by security firms',
 'references': [{'source': 'Aikido Security'}, {'source': 'Socket'}],
 'response': {'communication_strategy': 'Advisories to organizations using '
                                        'Axios',
              'containment_measures': 'Detection and provision of IOCs by '
                                      'security firms',
              'remediation_measures': 'Verification of installations for '
                                      'malicious versions or artifacts',
              'third_party_assistance': 'Aikido Security, Socket'},
 'title': 'Axios npm Account Hijacked to Distribute Cross-Platform RAT Malware',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': 'Lack of OIDC verification, unmatched GitHub '
                            'commits'}