The Incident
On March 31, 2026, a high-profile supply chain attack targeted Axios, a critical HTTP client for the JavaScript ecosystem. By hijacking a maintainer's NPM account, attackers injected a malicious dependency, plain-crypto-js, which deployed a cross-platform Remote Access Trojan (RAT).
Incident Summary
| Detail | Information |
|---|---|
| Affected Versions |
axios@1.14.1, axios@0.30.4
|
| Malicious Dependency | plain-crypto-js@4.2.1 |
| Payload | Cross-platform RAT (Linux, macOS, Windows) |
| C2 Server | sfrclak.com:8000 |
| Resolution Window | Live for ~3 hours (00:21 – 03:29 UTC) |
Technical Deep Dive
The attack bypassed standard security audits by hiding the malicious logic within a sub-dependency. Once installed via a standard npm install, the payload scanned the host machine for:
-
Environment Variables:
.envfiles and active shell exports. -
Auth Tokens:
~/.npmrcand~/.aws/credentials. -
SSH Keys: Unprotected private keys in
~/.ssh.
Data was exfiltrated via POST requests to the sfrclak.com Command & Control (C2) server.
Remediation & Verification
To ensure a development environment is sanitized, the following protocol was executed:
- Network Sinkholing: Manually mapping the C2 domain to
127.0.0.1in/etc/hoststo prevent further exfiltration and "kill" the phone-home capability. -
Lockfile Audit: Scanning all local projects for traces of the malicious package using a space-safe search:
find . -type f \( -name "package-lock.json" -o -name "yarn.lock" \) -print0 | xargs -0 grep "plain-crypto-js" Environment Sanitization: Clearing the global NPM cache and updating tool managers (like
mise) to ensure only verified versions are used moving forward.
Pro-Tip: Always use
npm auditor tools like Snyk to monitor your dependency tree for "hidden" sub-dependencies that do not appear directly in yourpackage.json.
Top comments (0)