malware npm
axios
discovered 2026-03-31axios is identified in the SafeDep analysis "axios Compromised: npm Supply Chain Attack via Dependency Injection". axios 1.14.1 was published to npm via a compromised maintainer account, injecting a trojanized dependency that executes a multi-platform reverse shell on install. No source code changes in axios itself, just a new entry in package.json.
Threat types
rat persistence
Malicious versions
- 1.8.2
Campaigns
Indicators
- domain sfrclak.comcommunicates-with
- ipv4 142.11.206.73communicates-with
- sha256 5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cdindicates
- sha256 59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0findicates
- sha256 fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cfindicates
- sha256 e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09indicates
- email npm-oidc-no-reply@github.comexfiltrates-to
- email ifstap@proton.meexfiltrates-to
- email jasonsaayman@gmail.comexfiltrates-to
- email nrwise@proton.meexfiltrates-to
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1528 Steal Application Access Tokenuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1102 Web Serviceuses
- ttp T1546 Event Triggered Executionuses
