NPM Package Supply Chain Compromise Leads to RAT Deployment
A supply chain attack compromised the npm account of the lead developer of the Axios package, resulting in malicious versions (axios@1. 14. 1 and axios@0. 30. 4) being published. These versions included hidden dependencies that executed postinstall scripts during npm installation, automatically deploying a remote access trojan (RAT) without user interaction. This attack enables full remote access to affected systems, potential exposure of sensitive credentials such as API and SSH keys, and the insertion of malicious code into software builds. The threat is particularly dangerous in developer environments and CI/CD pipelines. Detection involves identifying suspicious npm process chains and outbound connections to attacker infrastructure. No official patch or remediation guidance is provided in the available data.
AI Analysis
Technical Summary
Threat actors compromised the npm account of Axios's lead developer and published malicious package versions containing hidden dependencies that execute postinstall scripts. These scripts automatically download and deploy a remote access trojan on systems installing the affected Axios versions, enabling attackers to gain full remote access, steal credentials, and potentially insert malicious code into software builds. The attack targets developer environments and CI/CD pipelines, leveraging npm's automated installation process. Detection involves monitoring for suspicious process execution patterns and network connections to attacker-controlled domains. No vendor advisory or patch information is currently available.
Potential Impact
The compromise results in full remote access capabilities on affected systems, exposing sensitive credentials including API keys and SSH keys. It also risks the integrity of software builds by allowing malicious code insertion. The attack can propagate through developer environments and CI/CD pipelines, potentially affecting downstream software consumers. No known exploits in the wild are reported, but the automated nature of the postinstall script execution increases the risk of widespread impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or guidance is available, developers should avoid installing the affected Axios versions (1.14.1 and 0.30.4) and verify package integrity through trusted sources. Monitoring for suspicious npm postinstall activity and network connections to known attacker domains (e.g., sfrclak.com) is recommended. Consider using package integrity verification tools and restricting automated script execution during package installation in CI/CD environments.
Indicators of Compromise
- hash: 04e3073b3cd5c5bfcde6f575ecf6e8c1
- hash: 7658962ae060a222c0058cd4e979bfa1
- hash: a90c26e7cbb3440ac1cad75cf351cbedef7744a8
- hash: b0e0f12f1be57dc67fa375e860cedd19553c464d
- hash: 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
- hash: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
- domain: sfrclak.com
NPM Package Supply Chain Compromise Leads to RAT Deployment
Description
A supply chain attack compromised the npm account of the lead developer of the Axios package, resulting in malicious versions (axios@1. 14. 1 and axios@0. 30. 4) being published. These versions included hidden dependencies that executed postinstall scripts during npm installation, automatically deploying a remote access trojan (RAT) without user interaction. This attack enables full remote access to affected systems, potential exposure of sensitive credentials such as API and SSH keys, and the insertion of malicious code into software builds. The threat is particularly dangerous in developer environments and CI/CD pipelines. Detection involves identifying suspicious npm process chains and outbound connections to attacker infrastructure. No official patch or remediation guidance is provided in the available data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Threat actors compromised the npm account of Axios's lead developer and published malicious package versions containing hidden dependencies that execute postinstall scripts. These scripts automatically download and deploy a remote access trojan on systems installing the affected Axios versions, enabling attackers to gain full remote access, steal credentials, and potentially insert malicious code into software builds. The attack targets developer environments and CI/CD pipelines, leveraging npm's automated installation process. Detection involves monitoring for suspicious process execution patterns and network connections to attacker-controlled domains. No vendor advisory or patch information is currently available.
Potential Impact
The compromise results in full remote access capabilities on affected systems, exposing sensitive credentials including API keys and SSH keys. It also risks the integrity of software builds by allowing malicious code insertion. The attack can propagate through developer environments and CI/CD pipelines, potentially affecting downstream software consumers. No known exploits in the wild are reported, but the automated nature of the postinstall script execution increases the risk of widespread impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or guidance is available, developers should avoid installing the affected Axios versions (1.14.1 and 0.30.4) and verify package integrity through trusted sources. Monitoring for suspicious npm postinstall activity and network connections to known attacker domains (e.g., sfrclak.com) is recommended. Consider using package integrity verification tools and restricting automated script execution during package installation in CI/CD environments.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/axios-npm-package-supply-chain-compromise-leads-to-rat-deployment"]
- Adversary
- null
- Pulse Id
- 69d8b0c258b4fef5541358bb
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash04e3073b3cd5c5bfcde6f575ecf6e8c1 | — | |
hash7658962ae060a222c0058cd4e979bfa1 | — | |
hasha90c26e7cbb3440ac1cad75cf351cbedef7744a8 | — | |
hashb0e0f12f1be57dc67fa375e860cedd19553c464d | — | |
hash617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 | — | |
hashe10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainsfrclak.com | — |
Threat ID: 69d8cb821cc7ad14daa7855e
Added to database: 4/10/2026, 10:05:54 AM
Last enriched: 4/10/2026, 10:20:47 AM
Last updated: 4/10/2026, 9:26:25 PM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.