Araştırmalara Dön
Advisory

Deep Dive: Axios Supply Chain Attack Deploys Cross-Platform RAT

Eresus Security Research TeamYazar
1 Nisan 2026
4 dk okuma

On March 31, 2026, the global developer ecosystem was jolted by a highly sophisticated supply chain attack targeting Axios, the ubiquitous Promise-based HTTP client for Node.js and browsers (downloaded over 50 million times a week). Attackers compromised a core maintainer's npm token, bypassing 2FA protections via a sophisticated session hijacking attack.

Rather than altering Axios's source code directly, the threat actors injected a seemingly innocuous dependency: plain-crypto-js@4.2.1. This hidden payload deployed a persistent, cross-platform Remote Access Trojan (RAT).

At Eresus Security, our Threat Intelligence team immediately reverse-engineered the malicious package. Here is the complete technical breakdown of the infection chain and how to detect it.

The Infection Vector: A Masterclass in Obfuscation

The attackers released two compromised versions of Axios: 1.14.1 and 0.30.4. The only modification to the official Axios repository was inside the package.json dependencies block:

{
  "dependencies": {
    "follow-redirects": "^1.15.6",
    "form-data": "^4.0.0",
    "plain-crypto-js": "~4.2.1" 
  }
}

The malicious package plain-crypto-js masquerades as a standard cryptography helper library. However, the attack relies on npm lifecycle scripts. Inside plain-crypto-js/package.json, an obfuscated postinstall hook is triggered the moment the package is downloaded:

"scripts": {
  "postinstall": "node ./lib/init-crypto.js"
}

Stage 1: The Loader (init-crypto.js)

When developers or CI/CD servers (like GitHub Actions, GitLab CI, or Jenkins) run npm install, the postinstall script executes. The script init-crypto.js didn't contain raw shell commands. Instead, it housed a massive Base64-encoded, AES-256 encrypted string.

The decryption key was dynamically fetched from a seemingly benign DNS TXT record (Domain Generation Algorithm). Once decrypted in memory (leaving no footprint on the hard drive), Stage 2 begins.

OS Profiling & Evasion

The decrypted Node.js script profiles the infected machine using the built-in os module:

  • It checks os.platform() (win32, darwin, linux).
  • It verifies if it's running inside a sandboxed environment or analysis tool by checking MAC addresses and specific environment variables (e.g., bypassing execution if CI_TEST or SANDBOX_ENV is detected).

Stage 2: The Cross-Platform RAT

If the environment is deemed "safe" for the attacker, the script fetches a secondary binary payload specific to the architecture (e.g., an ELF binary for Linux CI servers, an .exe for Windows developer machines) from the attacker's Command and Control (C2) server.

Once executed, the RAT performs three devastating functions:

1. Mass Credential & Environment Variable Theft

The RAT recursively scans the local file system for files matching .env, *.pem, id_rsa, and config.json. It looks specifically for:

  • AWS Access Keys (AWS_SECRET_ACCESS_KEY)
  • Stripe API Keys
  • Database Connection Strings (DATABASE_URL, POSTGRES_URI)
  • Docker registry tokens.

2. Covert Reverse Shell

It establishes an encrypted WebSocket connection to the C2 server, granting the attacker a silent, persistent reverse shell. The traffic blends in with standard HTTPS traffic, making it incredibly difficult for standard IDSs (Intrusion Detection Systems) to flag.

3. Lateral Movement in Enterprise Networks

On Linux-based CI/CD servers, the RAT reads ~/.ssh/config and /etc/hosts. It automatically attempts to pivot to other internal servers using any discovered unencrypted SSH keys, allowing the attacker to deeply embed within the corporate infrastructure.

Indicators of Compromise (IoCs)

Malicious Hashes (SHA-256):

  • plain-crypto-js@4.2.1.tgz: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  • Linux RAT Binary: 8f434346648f6b96df89dda901c5176b...

C2 Domains:

  • api-metrics-crypto[.]com
  • cdn-telemetry-js[.]net

Immediate Remediation Protocol

If you deployed Axios 1.14.1 or 0.30.4, you must assume your CI/CD environment and developer machines are fully compromised.

  1. Purge and Downgrade: Immediately run npm uninstall axios and npm uninstall plain-crypto-js. Hardcode your Axios version to a known safe release (e.g., "axios": "1.14.0") in your package.json.
  2. Disable NPM Scripts Globally: Temporarily run npm config set ignore-scripts true on your corporate machines to prevent future postinstall exploits from running.
  3. Full Credential Rotation (Critical): Every single API key, cloud provider token, and database password that was present in the environment variables of any server that ran npm install must be revoked and rotated.
  4. Hunt for Persistence: Check your servers for unauthorized cron jobs (Linux) or Scheduled Tasks (Windows) that the RAT may have created to maintain access.

An automated scanner won't catch deeply nested supply chain attacks. At Eresus Security, our expert-led DevSecOps Audits and Red Team operations manually trace execution flows and audit your entire dependency graph to proactively neutralize supply chain threats. Connect with our experts today to secure your infrastructure.