The popular JavaScript HTTP client Axios was compromised via a supply chain attack that injected a malicious dependency, deploying cross-platform remote access trojans to infected developer systems.

Key points

• Attackers compromised the Axios maintainer's npm account to publish malicious versions 1.14.1 and 0.30.4.
• The versions injected a fake dependency, "plain-crypto-js," which executed a postinstall script to drop platform-specific malware.
• The trojan targeted Windows, macOS, and Linux, using a shared command-and-control server at "sfrclak.com."
• Security researchers identified additional malicious packages, including "@shadanai/openclaw" and "@qqbrowser/openclaw-qbot," distributing the same payload.
• Users are urged to downgrade to Axios versions 1.14.0 or 0.30.3 and immediately rotate all system credentials.

This incident highlights the severe risks of supply chain attacks where malicious code is hidden within transitive dependencies rather than the primary software package. Because Axios is used in over 83 million weekly downloads, this breach potentially exposes a vast range of enterprise applications and development environments to unauthorized remote access.