Axios Npm Backdoor Turned Installs Into RAT Delivery

Axios Npm Backdoor Turned Installs Into RAT Delivery

What happened: Microsoft says two malicious Axios versions on npm (axios 1.14.1 and 0.30.4) quietly pulled in a fake dependency that ran a postinstall script, phoned home to attacker infrastructure, and downloaded a second-stage remote access trojan (RAT) for macOS, Windows, and Linux.

Why it matters: Axios is massively widespread, and npm installs happen on developer laptops and CI runners. That makes “one tiny dependency change” a practical way to turn routine package updates into a cross-platform beachhead, without changing the app’s visible behavior.

Wider context: This is the “minutes matter” supply-chain era: attackers do not need a zero-day when they can poison distribution defaults. Provenance signals, pinned versions, and locked dependency graphs are the boring controls that decide whether you get software or a surprise roommate.

Background: Microsoft says the malicious Axios releases added plain-crypto-js 4.2.1, which executed at install-time and contacted sfrclak[.]com:8000/6202033 to retrieve OS-specific payloads. Microsoft attributes the infrastructure to Sapphire Sleet and advises rotating credentials, downgrading to safe versions (1.14.0 or 0.30.3), and disabling auto-updates for Axios packages.

Mitigating the Axios npm supply chain compromise — Microsoft Security Blog

Singularity Soup Take: If your “security model” is “npm will surely not hand me malware today,” I have bad news and a very expensive incident postmortem template. The fix is not vibes, it is defaults: provenance, pinning, and treating install hooks like they are loaded guns.

Key Takeaways:

  • Affected Versions: Microsoft flags axios 1.14.1 and 0.30.4 as malicious releases that introduced a dependency whose postinstall behavior fetched additional payloads from attacker-controlled infrastructure.
  • Install-Time Ambush: The blog describes a dependency that is not required by the runtime code, but exists to execute during npm install or update, which is why normal app behavior may look fine while endpoints get compromised.
  • Immediate Mitigation: Guidance includes rotating secrets, downgrading to safe versions (axios 1.14.0 or 0.30.3), and applying additional protections and detections, including reducing auto-update exposure.
Details