2026-03-31 • Trend Micro •
https://www.trendmicro.com/en_us/research/26/c/axios-npm-package-compromised.html
Trend Micro reported that attackers hijacked the Axios npm maintainer account and manually published malicious Axios versions 1.14.1 and 0.30.4 using stolen credentials rather than the project’s normal OIDC Trusted Publisher workflow. The poisoned releases added the phantom dependency plain-crypto-js 4.2.1, which existed solely to execute a postinstall setup.js dropper during dependency installation. The dropper decoded obfuscated commands, contacted sfrclak[.]com:8000, dispatched OS-specific payloads for macOS, Windows, and Linux, and replaced its own files with clean decoys to hinder detection and forensics. The report highlights the risk of npm token compromise and dependency side effects in CI/CD and package installation pipelines.
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | sfrclak.com | 2026-03-30 | 2026-04-20 |
| HASH | ed8560c1ac7ceb6983ba995124d5917… | 2026-03-31 | 2026-04-17 |
| HASH | f7d335205b8d7b20208fb3ef93ee6dc… | 2026-03-31 | 2026-04-17 |
| HASH | e10b1fa84f1d6481625f741b6989278… | 2026-03-31 | 2026-04-17 |
| URL | http://sfrclak.com:8000/ | 2026-03-31 | 2026-04-17 |
| DOMAIN | callnrwise.com | 2026-03-31 | 2026-04-17 |
| HASH | 617b67a8e1210e4fc87c92d1d1da45a… | 2026-03-30 | 2026-04-17 |
| HASH | 92ff08773995ebc8d55ec4b8e1a225d… | 2026-03-30 | 2026-04-17 |
| HASH | fcb81618bb15edfdedfb638b4c08a2a… | 2026-03-30 | 2026-04-17 |
| [email protected] | 2026-03-30 | 2026-04-17 | |
| [email protected] | 2026-03-30 | 2026-04-17 | |
| IPv4 | 142.11.206.73 | 2026-03-30 | 2026-04-17 |
| HASH | d6f3f62fd3b9f5432f5782b62d8cfd5… | 2026-03-30 | 2026-04-04 |
| HASH | 07d889e2dadce6f3910dcbc253317d2… | 2026-03-30 | 2026-04-04 |
| HASH | 2553649f2322049666871cea80a5d0d… | 2026-03-30 | 2026-04-04 |
| HASH | 591a70e8b166265804c1e2add3f5554… | 2026-03-31 | 2026-03-31 |