"The attacker injected an unknown dependency named plain-crypto-js@4.2.1 into both axios versions. This package is neither imported nor used anywhere in the axios source code. Its sole purpose is to execute a post-install script that acts as a RAT dropper."
"After execution, the dropper script `setup.js` performs three cleanup steps. First, it removes itself; then it deletes the `package.json` file containing the malicious post-install hook; and finally, it replaces that file with a 'clean' version."
On March 31, 2026, two malicious versions of the axios library were published on npm through a compromised maintainer account. These versions installed a Remote Access Trojan on macOS, Windows, and Linux. The attacker injected a fake dependency named plain-crypto-js, which executed a post-install script to drop the RAT. The malicious package disguised itself as a legitimate library, and after execution, it removed traces of its presence, making detection difficult. The attack highlights the vulnerabilities in package management systems.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]