Topics/auto

axios / plain-crypto-js / npm

StepSecurity disclosed that on March 31, 2026 two malicious axios npm releases — axios@1.14.1 and axios@0.30.4 — were published using a compromised maintainer account. The attacker injected a fake dependency, plain-crypto-js@4.2.1, whose postinstall script acted as a cross-platform remote access trojan (RAT) dropper delivering platform-specific second-stage payloads and then self-destructing and cleaning its package.json to evade detection. The attacker pre-staged a benign-looking plain-crypto-j

0.0

—

News Items

1

Articles

0

Sources

1

First Seen

2026-03-31 03:30:09

Source Breakdown

HN (1)

Articles

DailyApril 1, 2026

Today’s TechScan: From NPM Trojans to Web‑CAD and 4D Doom

Recent News (1)

Axios Compromised on NPM – Malicious Versions Drop Remote Access Trojan

StepSecurity disclosed that on March 31, 2026 two malicious axios npm releases — axios@1.14.1 and axios@0.30.4 — were published using a compromised maintainer account. The attacker injected a fake dependency, plain-crypto-js@4.2.1, whose postinstall script acted as a cross-platform remote access trojan (RAT) dropper delivering platform-specific second-stage payloads and then self-destructing and cleaning its package.json to evade detection. The attacker pre-staged a benign-looking plain-crypto-js@4.2.0 to avoid zero-history alarms, changed the maintainer email to a ProtonMail address, and published packages via npm CLI bypassing CI/CD controls. StepSecurity urges users to pin to axios@1.14.0 or 0.30.3, assume compromise if they installed the tainted versions, rotate credentials, and inspect network logs for IOCs while an investigation continues.

1930pts

HNmtudMarch 31, 2026