Shares tags: NPM, Axios • Shares 5 IOCs • Published within a month
Attackers Compromised Axios, NPM Package With Over 100M Weekly Downloads, Rotate Your Keys Now
2026-03-31 • Ox Security •
https://www.ox.security/blog/axios-compromised-with-a-malicious-dependency/
OX Security analyzes a supply-chain compromise of axios versions 0.30.4 and 1.14.1 through the malicious [email protected] dependency. The dependency's postinstall setup.js script contacted sfrclak[.]com on port 8000, fingerprinted the operating system, and downloaded Windows, macOS, or Linux payloads. The macOS payload supported C2-driven AppleScript execution, the Linux Python variant beaconed with host, process, and filesystem telemetry, and the Windows PowerShell variant added autorun persistence through a hidden batch file and Run key. The report warns that affected machines should be treated as fully compromised because the RAT behavior could expose credentials, API keys, crypto wallets, and other sensitive data.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | sfrclak.com | 2026-03-30 | 2026-04-20 |
| HASH | e10b1fa84f1d6481625f741b6989278… | 2026-03-31 | 2026-04-17 |
| HASH | 617b67a8e1210e4fc87c92d1d1da45a… | 2026-03-30 | 2026-04-17 |
| HASH | 92ff08773995ebc8d55ec4b8e1a225d… | 2026-03-30 | 2026-04-17 |
| HASH | fcb81618bb15edfdedfb638b4c08a2a… | 2026-03-30 | 2026-04-17 |
Related Reports
Shares tags: NPM, Axios • Shares 5 IOCs • Published within a week
Shares tags: NPM, Axios • Shares 5 IOCs • Published within a week
Shares tags: NPM, Axios • Shares 5 IOCs • Published within a week
2026-03-31 •
100% Match
Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads
Trend Micro
Shares tags: NPM, Axios • Shares 5 IOCs • Published within a week
Shares tags: NPM, Axios • Shares 5 IOCs • Published within a week