2026-04-04 • Resecurity •
Resecurity describes a malicious npm supply-chain campaign in which plain-crypto-js was embedded as a dependency in compromised Axios versions and executed through npm's postinstall lifecycle hook. The Node.js dropper used layered obfuscation, including string reversal, Base64 normalization, and XOR decryption with the key OrDeR_7077, to hide modules, commands, OS-specific payloads, and the C2 URL. The malware targeted Windows, macOS, and Linux systems, contacted http://sfrclak.com:8000/, and attempted credential theft involving npm tokens, AWS keys, SSH keys, and CI/CD secrets. The infection path matters because developers could be compromised by installing Axios normally, allowing a transitive dependency to execute payloads without direct user interaction.
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | sfrclak.com | 2026-03-30 | 2026-04-20 |
| HASH | ed8560c1ac7ceb6983ba995124d5917… | 2026-03-31 | 2026-04-17 |
| HASH | f7d335205b8d7b20208fb3ef93ee6dc… | 2026-03-31 | 2026-04-17 |
| HASH | e10b1fa84f1d6481625f741b6989278… | 2026-03-31 | 2026-04-17 |
| URL | http://sfrclak.com:8000/ | 2026-03-31 | 2026-04-17 |
| DOMAIN | callnrwise.com | 2026-03-31 | 2026-04-17 |
| HASH | 617b67a8e1210e4fc87c92d1d1da45a… | 2026-03-30 | 2026-04-17 |
| HASH | fcb81618bb15edfdedfb638b4c08a2a… | 2026-03-30 | 2026-04-17 |
| URL | http://sfrclak.com:8000/6202033 | 2026-03-30 | 2026-04-17 |
| IPv4 | 142.11.206.73 | 2026-03-30 | 2026-04-17 |
| HASH | d6f3f62fd3b9f5432f5782b62d8cfd5… | 2026-03-30 | 2026-04-04 |
| HASH | 07d889e2dadce6f3910dcbc253317d2… | 2026-03-30 | 2026-04-04 |
| HASH | 2553649f2322049666871cea80a5d0d… | 2026-03-30 | 2026-04-04 |