Overview
- An attacker used the stolen npm account of maintainer jasonsaayman early Tuesday UTC to publish axios@1.14.1 and 0.30.4, which npm removed within hours.
- The releases added plain-crypto-js@4.2.1, a fake package whose postinstall script runs on install and pulls a remote-access trojan from sfrclak.com:8000.
- The malware dropped OS-specific payloads that hid as com.apple.act.mond on macOS, wt.exe on Windows, and ld.py on Linux, then beaconed for commands every minute.
- Wiz says the brief window still led to execution in about 3% of affected environments because Axios is used in roughly 80% of cloud and code setups and sees about 100 million weekly downloads.
- Researchers advise downgrading to 1.14.0 or 0.30.3, hunting for RAT files and plain-crypto-js, rotating all credentials, blocking the C2 domain and IP, and checking related packages such as @shadanai/openclaw and @qqbrowser/openclaw-qbot.