Axios NPM Package Compromise Deploying RAT Affecting Node.js Environments

Published on 01-Apr-2026 16:00:00

Executive Summary

A recent software supply-chain compromise involving the widely used Axios JavaScript HTTP client library has been identified within the npm ecosystem and is associated with CVE-2026-32746. In this incident, attackers gained unauthorized access to the npm maintainer account and published malicious versions of the Axios package containing a Remote Access Trojan (RAT) capable of affecting Windows, Linux, and macOS systems. Security researchers describe it as a custom cross-platform RAT embedded in the malicious dependency (plain-crypto-js)

Axios is a widely used HTTP client library in the Node.js ecosystem with millions of weekly downloads. Due to its extensive use in web applications, APIs, and development environments, this compromise poses a significant software supply-chain risk, potentially affecting developer systems, CI/CD pipelines, and production environments. Although the malicious versions were removed shortly after discovery, systems that installed the compromised packages during the exposure window may have already been infected. Given the extensive use of Axios in web services, APIs, fintech systems, SaaS platforms, and cloud applications, organizations in Bangladesh utilizing Node.js development environments may be at risk.

Figure: Axios Supply Chain Compromise Attack Flow [Source : phoenix.security]

Attack Chain Analysis

Threat intelligence analysis indicates the attack followed a supply-chain compromise pattern:

Maintainer Account Compromise: Attackers gained control of the npm account of an Axios maintainer.

Malicious Package Publication: Two compromised versions were released

axios@1.14.1

axios@0.30.4

Dependency Injection: The malicious versions added a hidden dependency

plain-crypto-js@4.2.1

Execution of Malicious Script: The dependency executed a post-install script automatically during npm install.

RAT Deployment: Platform-specific payloads were downloaded for - Windows, macOS, Linux

Command-and-Control Communication: Infected systems contacted attacker infrastructure to receive commands and exfiltrate credentials.

The malicious script executed automatically during dependency installation, meaning developers or CI/CD systems installing the compromised package could become infected without directly interacting with malicious code.

Attack Mechanism

The attack followed this chain:

Maintainer account compromise on npm.
Malicious Axios versions published to npm registry.
Hidden dependency (plain-crypto-js) added.
Post-install script executed automatically.
Cross-platform RAT installed on victim systems.

Once installed, the malware can:

Exfiltrate credentials
Steal SSH keys
Access .env secrets
Access Kubernetes tokens
Establish remote command execution capabilities

Relevance to Bangladesh

Although this supply-chain attack is global in scope, it may impact organizations in Bangladesh because:

Many Bangladeshi companies use Node.js frameworks such as Express, NestJS, and Next.js, which rely on Axios.
Software development teams frequently use npm dependency management.
Cloud platforms and fintech systems rely heavily on JavaScript-based API integrations.

Therefore, any development environment that installed Axios during the exposure window may be compromised.

Potential Impact

Successful compromise may result in:

Remote access to developer workstations
Theft of SSH keys and credentials
Access to cloud infrastructure secrets
Exposure of environment variables (.env)
Compromise of CI/CD pipelines
Unauthorized access to production systems

The malware was specifically designed to harvest sensitive development environment secrets, including:

AWS / Azure / GCP credentials
Kubernetes tokens
SSH private keys
cryptocurrency wallet files
shell history files

These credentials could enable attackers to pivot into enterprise infrastructure or cloud environments.

Indicators of Compromise (IOCs)

MITRE ATT&CK Techniques

These behaviors are typical of supply-chain malware implants targeting developer environments and CI/CD pipelines.

Exposure Window

The malicious versions were available on the npm registry for approximately two to three hours before being removed. During this exposure period, any environment performing npm install or npm update may have automatically installed the compromised packages.

Recommended Mitigation Measures

Organizations should immediately take the following actions:

Endpoint Detection: Look for

Executables created in /tmp or %PROGRAMDATA%
Unexpected Python or shell execution
Post-install scripts executing during dependency installation

Suspicious modifications in node_modules

Verify Installed Axios Versions:

Check installed packages: npm list axios

Search dependency lock files: grep axios package-lock.json

Remove Malicious Versions:

Reinstall safe versions: npm install axios@1.14.0 or npm install axios@0.30.3

Remove Malicious Dependency:

Check for: node_modules/plain-crypto-js; If present, treat the system as potentially compromised.

Rotate Credentials: Immediately rotate:

suspicious processes
unexpected outbound connections
unauthorized system modifications
newly created files in temporary directories

Supply Chain Security Recommendations: To reduce future risks:

Implement Software Composition Analysis (SCA)
Enforce dependency version pinning
Use private package registries
Monitor dependency changes in CI/CD pipelines
Implement SBOM (Software Bill of Materials)

Supply-chain attacks targeting open-source packages are increasing, and organizations should treat package dependency management as a critical security control.