Axios Supply Chain Attack — 100M Weekly Downloads, Three RATs, One Compromised Token

Threat ID: TL-2026-0300 | Severity: CRITICAL | Status: ACTIVE

Actor: Unknown | Nation: Unknown | Detections: 27 | IOCs: 26

One stolen npm token. A hundred million weekly downloads. Three platform-specific RATs deployed in under seven hours. On March 31, 2026, an attacker published trojanized versions of the Axios HTTP client library — axios@1.14.1 and axios@0.30.4 — to npm using a compromised maintainer account. The injected dependency, plain-crypto-js@4.2.1, dropped compiled C++ on macOS, PowerShell on Windows, and Python on Linux. We documented this attack across 3 separate threat reports (TL-2026-0300, TL-2026-0301, TL-2026-0303), extracted 27 detection rules, and mapped the full cross-platform kill chain. GHSA-fw8c-xr5c-95f9.

The Token That Owned npm

The attacker obtained a classic npm access token for jasonsaayman — the primary Axios maintainer. Classic tokens in npm carry no IP restrictions, no expiration, no CIDR scoping. One token, full publish access.

Before touching Axios, the attacker laid groundwork. At 05:57 UTC on March 30, a clean package called plain-crypto-js@4.2.0 was published under the npm account nrwise (email: nrwise@proton.me). A reputation seed. Eighteen hours later, the weaponized version 4.2.1 landed — same name, now carrying an obfuscated postinstall hook.

The Axios account was compromised next. The attacker changed jasonsaayman’s registered email to ifstap@proton.me, a ProtonMail address they controlled. Then they published directly via the npm CLI — not through GitHub Actions, not through Axios’s established OIDC Trusted Publisher mechanism. Neither malicious version has a corresponding GitHub tag or commit. That absence was the first signal. Socket Security flagged plain-crypto-js@4.2.1 within 6 minutes of publication. The malicious Axios versions survived roughly 6.5 hours before npm pulled them.

setup.js — The XOR-Encoded Dropper

The payload lived in setup.js, triggered automatically during npm install via the postinstall hook. Two layers of obfuscation: an XOR cipher using a key derived from the string OrDeR_7077, followed by Base64 encoding. Once decoded, the script identifies the host operating system and branches into three execution paths.

All three paths contact the same C2 endpoint: http://sfrclak.com:8000/6202033. The IP resolves to 142.11.206.73. From there, the RAT dropper downloads platform-specific second-stage payloads — compiled binaries for macOS, PowerShell scripts for Windows, Python for Linux.

● package ● domain/ip ● path ● hash ● command ● registry

Cross-platform attack chain dendrogram — Axios supply chain IOCs and behavioral indicators branching by operating system. Each leaf node represents an enriched indicator from Threadlinqs Intelligence.

Three RATs, Three Operating Systems

Each OS gets its own RAT variant. Different languages, different persistence mechanisms, same C2 protocol.

macOS — the dropper spawns osascript to execute an AppleScript that downloads a compiled C++ Mach-O universal binary (x86_64 + ARM64) to /Library/Caches/com.apple.act.mond. The binary masquerades as an Apple system daemon. After download, the dropper runs codesign --force --deep --sign - to ad-hoc sign it, bypassing Gatekeeper. The RAT beacons to sfrclak.com:8000/product0 every 60 seconds via HTTP POST with a spoofed Internet Explorer 8 User-Agent — a dead giveaway on macOS.

Windows — more moving parts. The dropper copies powershell.exe to %PROGRAMDATA%\wt.exe (disguised as Windows Terminal), writes a VBScript file 6202033.vbs to %TEMP%, and executes it with cscript //nologo to download the PowerShell RAT. Persistence is via a registry Run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate, pointing to a batch file system.bat that launches the renamed PowerShell. The RAT supports .NET assembly injection — loading arbitrary CLR assemblies directly into memory.

Linux — the simplest path. curl downloads a Python script to /tmp/ld.py, launched detached via nohup python3 /tmp/ld.py &. The RAT polls sfrclak.com:8000/product2 every 60 seconds and supports two commands: runscript (execute shell or Python code) and peinject (deploy additional payloads). Initial check-in sends hostname, username, OS version, and process list.

Detection

Threadlinqs Intelligence documents 27 detection rules across the three Axios threat reports (TL-2026-0300, TL-2026-0301, TL-2026-0303). We combined them into three production-ready detections that cover the full kill chain — dropper execution, artifact deployment, and C2 communication — across all three platforms.

Splunk SPL — Axios Supply Chain Cross-Platform Kill Chain

SPLindex=sysmon OR index=osquery OR index=proxy OR index=firewall OR index=dns
  sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "linux:sysmon", "osquery:results", "pan:traffic", "bluecoat:proxysg:access:syslog", "squid")
| eval stage=case(
    match(ParentImage, "(?i)node") AND match(CommandLine, "(?i)(osascript|cscript|python|curl|wget|setup\.js)"), "dropper",
    match(TargetFilename, "(?i)(com\.apple\.act\.mond|wt\.exe|ld\.py|6202033\.vbs|system\.bat)"), "artifact",
    match(Image, "(?i)(wt\.exe|com\.apple\.act\.mond)") OR match(CommandLine, "(?i)nohup.*ld\.py"), "rat_exec",
    match(dest, "(?i)sfrclak") OR dest_ip="142.11.206.73" OR match(url, "(?i)(product0|product1|product2|6202033)"), "c2",
    match(TargetFilename, "(?i)MicrosoftUpdate") AND match(EventCode, "13"), "persistence",
    1=1, "other")
| search stage IN ("dropper", "artifact", "rat_exec", "c2", "persistence")
| eval platform=case(
    match(CommandLine, "(?i)osascript") OR match(TargetFilename, "com.apple"), "macOS",
    match(CommandLine, "(?i)(cscript|wt\.exe|powershell)") OR match(TargetFilename, "(?i)(wt\.exe|\.vbs|system\.bat)"), "Windows",
    match(CommandLine, "(?i)(python3|ld\.py|curl.*/tmp)") OR match(TargetFilename, "/tmp/ld"), "Linux",
    1=1, "unknown")
| stats count values(stage) AS attack_stages values(platform) AS platforms values(CommandLine) AS commands values(dest) AS destinations by host src_ip
| where count >= 2

Microsoft KQL — Axios RAT Deployment and C2 Beaconing

KQLlet c2_indicators = dynamic(["sfrclak.com", "142.11.206.73"]);
let axios_artifacts = dynamic(["com.apple.act.mond", "wt.exe", "ld.py", "6202033.vbs", "system.bat", "plain-crypto-js"]);
// Stage 1: npm postinstall dropper
let dropper = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("node", "node.exe", "npm", "npm.cmd")
| where FileName in~ ("osascript", "cscript.exe", "python", "python3", "python.exe", "curl", "wget", "sh", "bash")
      or ProcessCommandLine has_any ("setup.js", "OrDeR_7077", "plain-crypto-js");
// Stage 2: Artifact deployment
let artifacts = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any (axios_artifacts)
      or FolderPath has_any ("/Library/Caches/com.apple", "\\ProgramData\\wt.exe", "/tmp/ld.py");
// Stage 3: Persistence
let persistence = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "MicrosoftUpdate"
      and RegistryValueData has_any ("system.bat", "wt.exe");
// Stage 4: C2 beaconing
let c2 = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (c2_indicators) or RemoteIP in ("142.11.206.73")
      or RemoteUrl has_any ("product0", "product1", "product2", "6202033");
union dropper, artifacts, persistence, c2
| extend AttackStage = case(
    InitiatingProcessFileName in~ ("node", "node.exe"), "1_dropper",
    ActionType == "FileCreated", "2_artifact",
    ActionType has "Registry", "3_persistence",
    isnotempty(RemoteUrl) or isnotempty(RemoteIP), "4_c2",
    "unknown")
| project Timestamp, DeviceName, AttackStage, ActionType, FileName, FolderPath, ProcessCommandLine, RemoteUrl, RemoteIP, RegistryKey
| sort by Timestamp asc

Sigma — Axios npm Supply Chain Cross-Platform RAT Kill Chain

SIGMAtitle: Axios npm Supply Chain — Cross-Platform RAT Kill Chain
id: a7c3f1d9-8e5b-4f2a-b6c0-3d9e7a1f5b8c
status: experimental
description: |
  Detects all stages of the Axios supply chain attack — npm postinstall dropper execution,
  cross-platform RAT artifact deployment, persistence mechanisms, and C2 beaconing to sfrclak.com.
  Covers macOS (AppleScript/Mach-O), Windows (renamed PowerShell/VBScript/.NET), and Linux (Python).
references:
    - https://intel.threadlinqs.com/#threats/TL-2026-0300
    - https://github.com/advisories/GHSA-fw8c-xr5c-95f9
author: Threadlinqs Intelligence
date: 2026/03/31
tags:
    - attack.initial_access.t1195.002
    - attack.execution.t1059
    - attack.persistence.t1547.001
    - attack.defense_evasion.t1036.005
    - attack.command_and_control.t1071.001
logsource:
    category: process_creation
detection:
    # npm postinstall hook spawning interpreters
    selection_dropper:
        ParentImage|endswith:
            - '/node'
            - '\node.exe'
            - '/npm'
        Image|endswith:
            - '/osascript'
            - '\cscript.exe'
            - '/python3'
            - '/python'
            - '/curl'
            - '/wget'
            - '/sh'
    # Cross-platform RAT artifacts
    selection_artifacts:
        TargetFilename|contains:
            - 'com.apple.act.mond'
            - 'wt.exe'
            - 'ld.py'
            - '6202033.vbs'
            - 'system.bat'
    # Renamed PowerShell masquerading
    selection_masquerade:
        Image|endswith: '\wt.exe'
        OriginalFileName: 'PowerShell.EXE'
    # C2 domain
    selection_c2_dns:
        query|contains: 'sfrclak.com'
    # Registry persistence
    selection_registry:
        TargetObject|contains: 'MicrosoftUpdate'
        EventType: 'SetValue'
    condition: selection_dropper or selection_artifacts or selection_masquerade or selection_c2_dns or selection_registry
falsepositives:
    - Legitimate use of osascript/cscript spawned by Node.js (rare in production environments)
level: critical

Browse all 27 detection rules across 3 related threat reports: View on Threadlinqs Intelligence

Indicators of Compromise

Network Indicators

Type	Value	Context
Domain	`sfrclak.com`	Primary C2 — RAT beacon every 60s
IP	`142.11.206.73`	C2 server hosting payloads
URL	`http://sfrclak.com:8000/6202033`	Initial payload download
URL	`http://sfrclak.com:8000/product0`	macOS RAT beacon endpoint
URL	`http://sfrclak.com:8000/product1`	Windows RAT beacon endpoint
URL	`http://sfrclak.com:8000/product2`	Linux RAT beacon endpoint

File Indicators

Type	Value	Context
SHA-256	`58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668`	plain-crypto-js@4.2.1
SHA-256	`5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd`	axios@1.14.1
SHA-256	`59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f`	axios@0.30.4
SHA-256	`e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09`	setup.js dropper
SHA-256	`92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a`	macOS RAT (Mach-O)
SHA-256	`617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101`	Windows PowerShell RAT
SHA-256	`ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c`	Windows PS RAT variant
SHA-256	`6483c004e207137385f480909d6edecf1b699087378aa91745ecba7c3394f9d7`	Linux Python RAT
SHA-256	`fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf`	Linux ld.py variant
SHA-256	`e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff`	Windows system.bat

Behavioral Indicators

Type	Value	Context
Package	`plain-crypto-js@4.2.1`	Malicious npm dependency
Package	`axios@1.14.1`	Trojanized Axios version
Package	`axios@0.30.4`	Trojanized Axios version
Package	`@shadanai/openclaw`	Related malicious package
Path	`/Library/Caches/com.apple.act.mond`	macOS RAT binary
Path	`%PROGRAMDATA%\wt.exe`	Windows renamed PowerShell
Path	`/tmp/ld.py`	Linux Python RAT
Registry	`HKCU\...\Run\MicrosoftUpdate`	Windows persistence
Process	`com.apple.act.mond`	macOS RAT process
Email	`ifstap@proton.me`	Attacker email (jasonsaayman acct)

Timeline

Date	Event
2026-03-28	`@shadanai/openclaw` malicious packages published to npm — pre-staging
2026-03-30 05:57 UTC	`plain-crypto-js@4.2.0` published (clean reputation seed)
2026-03-30	jasonsaayman npm account compromised, email changed to `ifstap@proton.me`
2026-03-30 23:59 UTC	`plain-crypto-js@4.2.1` published (weaponized with postinstall hook)
2026-03-31 00:05 UTC	Socket Security flags `plain-crypto-js@4.2.1` (within 6 minutes)
2026-03-31 00:21 UTC	Malicious `axios@1.14.1` published to npm
2026-03-31 01:00 UTC	Malicious `axios@0.30.4` published to npm
2026-03-31 01:50 UTC	Elastic Security Labs files GHSA advisory
2026-03-31 ~08:00 UTC	npm removes malicious versions (~6.5-hour window)
2026-04-01	GHSA-fw8c-xr5c-95f9 published; Elastic, Wiz, Picus analysis

MITRE ATT&CK Mapping

Tactic	ID	Technique	Implementation
Initial Access	`T1195.002`	Supply Chain Compromise	Trojanized axios npm packages
Execution	`T1059.001`	PowerShell	Windows RAT via renamed wt.exe
Execution	`T1059.006`	Python	Linux RAT at /tmp/ld.py
Execution	`T1059.002`	AppleScript	macOS dropper via osascript
Execution	`T1059.005`	VBScript	Windows VBScript dropper 6202033.vbs
Persistence	`T1547.001`	Registry Run Key	HKCU\...\Run\MicrosoftUpdate
Defense Evasion	`T1036.005`	Match Legitimate Name	wt.exe masquerading as Windows Terminal
Defense Evasion	`T1036.004`	Masquerade Task or Service	com.apple.act.mond mimics Apple daemon
Defense Evasion	`T1027`	Obfuscated Files	XOR (OrDeR_7077) + Base64 in setup.js
Defense Evasion	`T1553.002`	Code Signing	Ad-hoc codesigning on macOS
Discovery	`T1082`	System Info Discovery	RAT sends hostname, OS, process list
C&C	`T1071.001`	HTTP	Port 8000 beaconing every 60s
C&C	`T1071.001`	Spoofed User-Agent	IE8 User-Agent string on all platforms
Exfiltration	`T1041`	Over C2 Channel	Process list and system info via HTTP POST

Recommendations

Run npm audit and check for plain-crypto-js in your dependency tree — remove axios@1.14.1 and axios@0.30.4 immediately
Block sfrclak.com and 142.11.206.73 at DNS/firewall level across all environments
Search macOS hosts for /Library/Caches/com.apple.act.mond, Windows hosts for %PROGRAMDATA%\wt.exe and the MicrosoftUpdate registry key, Linux hosts for /tmp/ld.py
Rotate all credentials accessible from any host that installed the compromised versions during the exposure window (March 31, 00:21–08:00 UTC)
Enforce npm OIDC Trusted Publishers and disable classic access tokens — this attack was only possible because the token had no restrictions

Full threat details, 27 detections, and IOC feeds for the Axios supply chain attack are live across three reports on Threadlinqs Intelligence — TL-2026-0300, TL-2026-0301, and TL-2026-0303.

Axios Supply Chain Attack — 100M Weekly Downloads, Three RATs, One Compromised Token

The Token That Owned npm

setup.js — The XOR-Encoded Dropper

Three RATs, Three Operating Systems

Detection

Splunk SPL — Axios Supply Chain Cross-Platform Kill Chain

Microsoft KQL — Axios RAT Deployment and C2 Beaconing

Sigma — Axios npm Supply Chain Cross-Platform RAT Kill Chain

Indicators of Compromise

Network Indicators

File Indicators

Behavioral Indicators

Timeline

MITRE ATT&CK Mapping

Recommendations

References

Threadlinqs Intel Team

The Token That Owned npm

setup.js — The XOR-Encoded Dropper

Three RATs, Three Operating Systems

Detection

Splunk SPL — Axios Supply Chain Cross-Platform Kill Chain

Microsoft KQL — Axios RAT Deployment and C2 Beaconing

Sigma — Axios npm Supply Chain Cross-Platform RAT Kill Chain

Indicators of Compromise

Network Indicators

File Indicators

Behavioral Indicators

Timeline

MITRE ATT&CK Mapping

Recommendations

References

Threadlinqs Intel Team

// related_reports