Overview
- The npm account of Axios’s lead maintainer, which attackers hijacked early Tuesday UTC, published axios@1.14.1 and 0.30.4 before npm pulled them within hours.
- Both releases added a fake dependency, plain-crypto-js@4.2.1, whose postinstall script fetched OS‑specific RAT payloads from sfrclak.com:8000 and then erased traces by restoring a clean manifest.
- Because axios is present in roughly 80% of cloud and code environments with about 100 million weekly downloads, researchers still observed execution in about 3% of affected environments despite the short window.
- Security firms advise downgrading to 1.14.0 or 0.30.3, removing plain-crypto-js, hunting for artifacts like /Library/Caches/com.apple.act.mond or %PROGRAMDATA%\wt.exe, rotating all secrets, and auditing CI runs that installed the bad versions.
- Analysts also flagged @shadanai/openclaw and @qqbrowser/openclaw-qbot as carrying the same malware chain, underscoring an operation focused on reconnaissance and credential theft rather than smash‑and‑grab monetization.