Overview
- Attackers who took over the lead maintainer’s npm account pushed axios@1.14.1 and 0.30.4 early Tuesday UTC, inserting a fake dependency that ran a postinstall script and was pulled from the registry within roughly three hours.
- The added package, plain-crypto-js@4.2.1, contacted sfrclak.com:8000 and installed a remote access trojan on macOS, Windows, or Linux, then tried to erase evidence by deleting the script and swapping in a clean-looking manifest.
- Npm removed the malicious releases and placed the trojanized dependency on security hold, and researchers advised downgrading to axios 1.14.0 or 0.30.3, auditing lockfiles, rotating all exposed credentials, and hunting for RAT artifacts on hosts.
- Google’s Threat Intelligence Group attributed the operation to suspected North Korean actor UNC1069, and Wiz reported observed execution in about 3% of scanned environments despite the short exposure window.
- Socket flagged two other packages carrying the same malware pattern, highlighting how npm’s postinstall hooks and automated builds can spread a brief registry compromise through developer machines and CI pipelines.