FIND-20260331-013 — CRITICAL: Axios npm Supply Chain Attack — RAT dropper in axios@1.14.1 and axios@0.30.4

Axios, the JavaScript HTTP client with 100M+ weekly npm downloads, was compromised via a hijacked maintainer account on March 31 2026. Malicious versions axios@1.14.1 and axios@0.30.4 inject a dependency plain-crypto-js@4.2.1 that deploys a cross-platform Remote Access Trojan (RAT) via npm postinstall hook. The RAT targets macOS, Windows and Linux with platform-specific payloads, establishes C2 to sfrclak[.]com:8000, exfiltrates system data, executes arbitrary commands, and self-deletes traces. Feross Aboukhadijeh (Socket founder) flagged this immediately. Socket's automated malware detection caught the malicious package within 6 minutes of publication. The safe version is axios@1.14.0 or earlier. ODS projects have no direct axios dependency; strapi-cms carries it as a transitive dep at v1.13.5 (safe). All Node.js project lockfiles should be audited and axios should be pinned below 1.14.1.

ODS projects do not directly depend on axios in any service package.json. The strapi-cms project has axios@1.13.5 as a transitive dependency (safe — below compromised versions). However: (1) any npm install pulling latest axios on affected projects could pull 1.14.1 if not pinned; (2) CI/CD pipelines running npm install without lockfile enforcement are at risk; (3) the cascading packages @shadanai/openclaw and @qqbrowser/openclaw-qbot are also affected — ODS does not use these. Immediate action: run npm audit on all Node.js projects, verify lockfiles pin axios below 1.14.1, add axios to dependency allowlist with explicit safe version.

CRITICAL: Axios npm Supply Chain Attack — RAT dropper in axios@1.14.1 and axios@0.30.4

Source

ODS Impact

Security Review

Tags