NPM Package Supply Chain Compromise Leads to RAT Deployment
A supply chain attack targeting the Axios npm package has been identified after threat actors compromised the npm account of the company's lead developer. Malicious versions (axios@1.14.1 and axios@0.30.4) were published containing a hidden dependency that executed postinstall scripts during npm installation. This automated execution downloaded and deployed a remote access trojan on affected systems without requiring user interaction, making it particularly dangerous for developer environments and CI/CD pipelines. The compromise resulted in full remote access capabilities, potential credential exposure including API keys and SSH keys, and possible insertion of malicious code into software builds. Detection platforms identified suspicious process execution chains involving npm spawning command interpreters and network utilities, followed by outbound connections to attacker-controlled infrastructure.
AI Analysis
Technical Summary
Threat actors compromised the npm account of Axios's lead developer and published malicious package versions containing hidden dependencies that execute postinstall scripts. These scripts automatically download and deploy a remote access trojan on systems installing the affected Axios versions, enabling attackers to gain full remote access, steal credentials, and potentially insert malicious code into software builds. The attack targets developer environments and CI/CD pipelines, leveraging npm's automated installation process. Detection involves monitoring for suspicious process execution patterns and network connections to attacker-controlled domains. No vendor advisory or patch information is currently available.
Potential Impact
The compromise results in full remote access capabilities on affected systems, exposing sensitive credentials including API keys and SSH keys. It also risks the integrity of software builds by allowing malicious code insertion. The attack can propagate through developer environments and CI/CD pipelines, potentially affecting downstream software consumers. No known exploits in the wild are reported, but the automated nature of the postinstall script execution increases the risk of widespread impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or guidance is available, developers should avoid installing the affected Axios versions (1.14.1 and 0.30.4) and verify package integrity through trusted sources. Monitoring for suspicious npm postinstall activity and network connections to known attacker domains (e.g., sfrclak.com) is recommended. Consider using package integrity verification tools and restricting automated script execution during package installation in CI/CD environments.
Indicators of Compromise
- hash: 04e3073b3cd5c5bfcde6f575ecf6e8c1
- hash: 7658962ae060a222c0058cd4e979bfa1
- hash: a90c26e7cbb3440ac1cad75cf351cbedef7744a8
- hash: b0e0f12f1be57dc67fa375e860cedd19553c464d
- hash: 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
- hash: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
- domain: sfrclak.com
NPM Package Supply Chain Compromise Leads to RAT Deployment
Description
A supply chain attack targeting the Axios npm package has been identified after threat actors compromised the npm account of the company's lead developer. Malicious versions (axios@1.14.1 and axios@0.30.4) were published containing a hidden dependency that executed postinstall scripts during npm installation. This automated execution downloaded and deployed a remote access trojan on affected systems without requiring user interaction, making it particularly dangerous for developer environments and CI/CD pipelines. The compromise resulted in full remote access capabilities, potential credential exposure including API keys and SSH keys, and possible insertion of malicious code into software builds. Detection platforms identified suspicious process execution chains involving npm spawning command interpreters and network utilities, followed by outbound connections to attacker-controlled infrastructure.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Threat actors compromised the npm account of Axios's lead developer and published malicious package versions containing hidden dependencies that execute postinstall scripts. These scripts automatically download and deploy a remote access trojan on systems installing the affected Axios versions, enabling attackers to gain full remote access, steal credentials, and potentially insert malicious code into software builds. The attack targets developer environments and CI/CD pipelines, leveraging npm's automated installation process. Detection involves monitoring for suspicious process execution patterns and network connections to attacker-controlled domains. No vendor advisory or patch information is currently available.
Potential Impact
The compromise results in full remote access capabilities on affected systems, exposing sensitive credentials including API keys and SSH keys. It also risks the integrity of software builds by allowing malicious code insertion. The attack can propagate through developer environments and CI/CD pipelines, potentially affecting downstream software consumers. No known exploits in the wild are reported, but the automated nature of the postinstall script execution increases the risk of widespread impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or guidance is available, developers should avoid installing the affected Axios versions (1.14.1 and 0.30.4) and verify package integrity through trusted sources. Monitoring for suspicious npm postinstall activity and network connections to known attacker domains (e.g., sfrclak.com) is recommended. Consider using package integrity verification tools and restricting automated script execution during package installation in CI/CD environments.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/axios-npm-package-supply-chain-compromise-leads-to-rat-deployment"]
- Adversary
- null
- Pulse Id
- 69d8b0c258b4fef5541358bb
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash04e3073b3cd5c5bfcde6f575ecf6e8c1 | — | |
hash7658962ae060a222c0058cd4e979bfa1 | — | |
hasha90c26e7cbb3440ac1cad75cf351cbedef7744a8 | — | |
hashb0e0f12f1be57dc67fa375e860cedd19553c464d | — | |
hash617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 | — | |
hashe10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainsfrclak.com | — |
Threat ID: 69d8cb821cc7ad14daa7855e
Added to database: 4/10/2026, 10:05:54 AM
Last enriched: 4/10/2026, 10:20:47 AM
Last updated: 5/26/2026, 2:30:20 AM
Views: 125
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.