Date of Incident: March 31, 2026
Severity: CRITICAL
Status: Malicious packages removed from npm registry (03:29 UTC same day)

📋 EXECUTIVE SUMMARY

On March 31, 2026, the popular JavaScript HTTP client library Axios (over 300 million weekly downloads) was compromised in a sophisticated supply chain attack. The attacker hijacked an official maintainer account and published malicious versions containing a hidden dependency that deployed cross-platform Remote Access Trojans (RATs).

Attack Window: 3 hours (00:21 UTC - 03:29 UTC)

• Snyk Advisory ID: SNYK-JS-AXIOS-15850650

• Malicious Dependency: plain-crypto-js@4.2.1

• Command & Control: sfrclak[.]com:8000 (IP: 142.11.206.73)

🚨 THREAT ANALYSIS

Affected Packages

Attack Vector Details

The attacker did NOT modify Axios source code directly. Instead, they injected a malicious dependency plain-crypto-js@4.2.1 into package.json files. When developers ran:

npm

npm

npm

Npm automatically resolved and installed plain-crypto-js@4.2.1, then executed its postinstall hook:

node setup.js  // ← MALICIOUS ENTRY POINT

node setup.js  // ← MALICIOUS ENTRY POINT

node setup.js  // ← MALICIOUS ENTRY POINT

Sophistication Level: HIGH

• Pre-staging: Clean version (4.2.0) published 18 hours prior to establish legitimate history

• Double Obfuscation: Base64 encoding + XOR cipher

• Self-erasing: Deleted all traces after execution

• Platform-specific: Custom malware for macOS, Windows, and Linux

Platform-Specific Payloads

🍎 macOS

• Location: /Library/Caches/com.apple.act.mond (spoofing Apple daemon)

• Beacon Frequency: Every 60 seconds

• Capabilities: System fingerprinting, process enumeration, arbitrary command execution

💻 Windows

• Location: %PROGRAMDATA%\wt.exe (masquerading as Windows Terminal)

• Execution: Hidden PowerShell RAT with policy bypass flags

• Delivery: VBScript downloader

🐧 Linux

• Location: /tmp/ld.py

• Execution: nohup python3 as orphaned background process

• Detection Evasion: Detached from terminal session

🔍 DETECTION TECHNIQUES & INDICATORS OF COMPROMISE (IOCs)

File System IOCs

Network IOCs

• Domain: sfrclak[.]com:8000

• IP Address: 142.11.206.73

• Port: 8000

• Detection Methods:

  • Firewall rules blocking outbound connections

  • IDS/IPS alerts for known malicious IPs

  • Network flow analysis

Build Environment IOCs

# Check lockfiles for affected versions
grep -E '"axios"' package-lock.json | grep -E '1\.14\.1|0\.30\.4'
grep -E 'axios@' yarn.lock | grep -E '1\.14\.1|0\.30\.4'

# Detect malicious dependency in node_modules
npm ls plain-crypto-js
find node_modules -name "plain-crypto-js" -type d

# Bun users: Check bun.lock file
grep -E 'axios' bun.lock | grep -E '1\\.14\\.1|0\\.30\\.4'
grep 'plain-crypto-js'

# Check lockfiles for affected versions
grep -E '"axios"' package-lock.json | grep -E '1\.14\.1|0\.30\.4'
grep -E 'axios@' yarn.lock | grep -E '1\.14\.1|0\.30\.4'

# Detect malicious dependency in node_modules
npm ls plain-crypto-js
find node_modules -name "plain-crypto-js" -type d

# Bun users: Check bun.lock file
grep -E 'axios' bun.lock | grep -E '1\\.14\\.1|0\\.30\\.4'
grep 'plain-crypto-js'

# Check lockfiles for affected versions
grep -E '"axios"' package-lock.json | grep -E '1\.14\.1|0\.30\.4'
grep -E 'axios@' yarn.lock | grep -E '1\.14\.1|0\.30\.4'

# Detect malicious dependency in node_modules
npm ls plain-crypto-js
find node_modules -name "plain-crypto-js" -type d

# Bun users: Check bun.lock file
grep -E 'axios' bun.lock | grep -E '1\\.14\\.1|0\\.30\\.4'
grep 'plain-crypto-js'

Runtime IOCs (Post-Infection)

• Unexpected processes matching IOC paths

• Outbound connections to 142.11.206.73 or sfrclak[.]com

• Modified system directories (/Library/Caches, %PROGRAMDATA%, /tmp)

• Fake user-agent strings (IE8/Windows XP) in network traffic

🛡️ MITIGATION PLAN

IMMEDIATE ACTIONS (Within First 4 Hours)

🔒 Containment

# Isolate the system immediately
# macOS: Network isolation + disable external access
sudo sh -c "networksetup -setcomputername 'isolated'"
# Windows: Disconnect from network or disable WiFi/Ethernet
shutdown /r /t 0  # Reboot to isolated environment

# Isolate the system immediately
# macOS: Network isolation + disable external access
sudo sh -c "networksetup -setcomputername 'isolated'"
# Windows: Disconnect from network or disable WiFi/Ethernet
shutdown /r /t 0  # Reboot to isolated environment

# Isolate the system immediately
# macOS: Network isolation + disable external access
sudo sh -c "networksetup -setcomputername 'isolated'"
# Windows: Disconnect from network or disable WiFi/Ethernet
shutdown /r /t 0  # Reboot to isolated environment

🔑 Credential Rotation (CRITICAL!)

# Rotate ALL credentials on affected systems:
- API keys (AWS, Azure, GCP)
- SSH keys
- npm tokens (.npmrc files)
- GitHub/GitLab access tokens
- Docker credentials
- Database credentials
-

# Rotate ALL credentials on affected systems:
- API keys (AWS, Azure, GCP)
- SSH keys
- npm tokens (.npmrc files)
- GitHub/GitLab access tokens
- Docker credentials
- Database credentials
-

# Rotate ALL credentials on affected systems:
- API keys (AWS, Azure, GCP)
- SSH keys
- npm tokens (.npmrc files)
- GitHub/GitLab access tokens
- Docker credentials
- Database credentials
-

🔍 Network Traffic Analysis

# Check for C2 communication
# macOS:
lsof -i :8000
netstat -an | grep sfrclak[.]com

# Windows (PowerShell):
Get-NetTCPConnection -ErrorAction SilentlyContinue | 
Where-Object { $_.LocalPort -eq 8000 }

# Linux:
ss -tuln
netstat -tulpn

# Check for C2 communication
# macOS:
lsof -i :8000
netstat -an | grep sfrclak[.]com

# Windows (PowerShell):
Get-NetTCPConnection -ErrorAction SilentlyContinue | 
Where-Object { $_.LocalPort -eq 8000 }

# Linux:
ss -tuln
netstat -tulpn

# Check for C2 communication
# macOS:
lsof -i :8000
netstat -an | grep sfrclak[.]com

# Windows (PowerShell):
Get-NetTCPConnection -ErrorAction SilentlyContinue | 
Where-Object { $_.LocalPort -eq 8000 }

# Linux:
ss -tuln
netstat -tulpn

🔄 System Rebuild (RECOMMENDED)

⚠️ DO NOT ATTEMPT TO CLEAN COMPROMISED SYSTEMS
The RAT is sophisticated with anti-forensics capabilities. Full rebuild from clean image required.

PREVENTIVE MEASURES

Package Manager Best Practices

// 1. Pin specific versions (SAFE versions)
// Replace in package.json:
"axios": "^1.6.0"  // or any version > 1.14.1 or < 0.30.4

// 1. Pin specific versions (SAFE versions)
// Replace in package.json:
"axios": "^1.6.0"  // or any version > 1.14.1 or < 0.30.4

// 1. Pin specific versions (SAFE versions)
// Replace in package.json:
"axios": "^1.6.0"  // or any version > 1.14.1 or < 0.30.4

# 2. Commit lockfiles and use 'npm ci' (not 'npm install')
git add package-lock.json
git commit -m "Commit lockfile for integrity"
// In CI/CD: Use 'npm ci' instead of 'npm install'

# 2. Commit lockfiles and use 'npm ci' (not 'npm install')
git add package-lock.json
git commit -m "Commit lockfile for integrity"
// In CI/CD: Use 'npm ci' instead of 'npm install'

# 2. Commit lockfiles and use 'npm ci' (not 'npm install')
git add package-lock.json
git commit -m "Commit lockfile for integrity"
// In CI/CD: Use 'npm ci' instead of 'npm install'

# 3. Add malicious package to blocklist
# .npmrc file or security tooling blocklist:

# 3. Add malicious package to blocklist
# .npmrc file or security tooling blocklist:

# 3. Add malicious package to blocklist
# .npmrc file or security tooling blocklist:

# 4. Consider --ignore-scripts for CI (if post-install not needed)
npm ci --ignore-scripts

# 4. Consider --ignore-scripts for CI (if post-install not needed)
npm ci --ignore-scripts

# 4. Consider --ignore-scripts for CI (if post-install not needed)
npm ci --ignore-scripts

Security Tooling Recommendations

Snyk Integration

# Install and run Snyk audit
npm install -g snyk
snyk auth
snyk test

# Check for malicious dependency
snyk test --file=yarn.lock  # For Bun users

# Install and run Snyk audit
npm install -g snyk
snyk auth
snyk test

# Check for malicious dependency
snyk test --file=yarn.lock  # For Bun users

# Install and run Snyk audit
npm install -g snyk
snyk auth
snyk test

# Check for malicious dependency
snyk test --file=yarn.lock  # For Bun users

Continuous Monitoring Setup

• Enable CI/CD pipeline dependency scanning

• Implement runtime process monitoring in build environments

• Configure network egress filtering (block known bad IPs)

• Set up file integrity monitoring for node_modules

Organizational Response Plan

Incident Response Checklist

• Identify all CI/CD pipelines that may have installed affected packages

• Review build logs for March 31, 2026 UTC 00:21-03:29 window

• Check all developer machines for lockfile updates during attack window

• Rotate credentials on any system with potential exposure

• Add plain-crypto-js to security tooling blocklists

• Implement post-install script auditing in CI/CD

• Enable dependency pinning organization-wide

📊 AFFECTED SYSTEMS ASSESSMENT

High-Risk Groups:

1. CI/CD Pipelines without version pinning and running scheduled installs

2. Developers who ran npm install or npm update in attack window

3. Projects depending on secondary compromised packages (@qqbrowser/openclaw-qbot, @shadanai/openclaw)

Mitigation Effectiveness by Control:

🎓 LESSONS LEARNED & BEST PRACTICES

Supply Chain Security Principles:

1. Never trust lockfiles alone - Use version pinning + lockfile commits

2. Audit post-install scripts - Especially in CI/CD environments

3. Monitor build environment runtime - Unexpected process spawns are red flags

4. Rotate credentials after any supply chain incident - Assume compromise

5. Use SLSA levels or equivalent controls - Implement supply chain integrity verification

Recommended Security Stack:

• Snyk for dependency scanning and vulnerability management

• Socket for real-time malicious package detection

• npm-security-best-practices repository for CI/CD hardening

• Regular lockfile security reviews as part of PR process

📞 OFFICIAL RESOURCES

Snyk Advisories:

• Axios Compromise: https://security.snyk.io/vuln/SNYK-JS-AXIOS-15850650

• Malicious Dependency: https://security.snyk.io/vuln/SNYK-JS-PLAINCRYPTOJS-15850652

Additional Resources:

• GitHub Issue Thread: https://github.com/axios/axios/issues/10604

• NPM Security Best Practices: https://github.com/lirantal/npm-security-best-practices

• Snyk Learn (Supply Chain Attacks): https://learn.snyk.io/lesson/compromise-of-legitimate-package/

⚠️ IMPORTANT NOTES

• The malicious versions have been removed from npm registry (March 31, 2026 at 03:29 UTC)

• Anyone who installed during the 3-hour window should assume full system compromise: the RAT was live, beaconing, and capable of executing arbitrary follow-on payloads

• This attack demonstrates sophisticated supply chain threat actor capabilities:

  • Pre-staging malicious dependencies with "clean" history

  • Double-obfuscation techniques to evade static analysis

  • Platform-specific custom malware development

  • Self-erasing anti-forensics

📅 ATTACK TIMELINE

✅ RECOMMENDED ACTIONS SUMMARY

Immediate (Next 1-4 Hours):

1. Audit all lockfiles for affected axios versions (1.14.1 or 0.30.4)

2. Identify any systems that ran npm install during attack window

3. Isolate and rebuild compromised systems

4. Rotate all credentials on affected systems

Short-term (Next 24 Hours):

1. Update all projects to safe axios versions (^1.6.0 or other safe version)

2. Add plain-crypto-js to security tooling blocklists

3. Enable lockfile pinning organization-wide

4. Implement CI/CD scanning for post-install scripts

Long-term (Next Week):

1. Adopt dependency scanning tooling (e.g., Snyk, Socket)

2. Implement runtime monitoring in build environments

3. Review and strengthen maintainer account security policies

4. Establish supply chain incident response procedures

5. Consider using --ignore-scripts in CI/CD environments where lifecycle hooks aren't needed

Report Generated: March 31, 2026
Severity: CRITICAL
Status: Incident Resolved (malicious packages removed from registry)
Threat Actor Sophistication: HIGH
Estimated Blast Radius: Thousands to Millions of systems potentially affected