Securing the Supply Chain: How SentinelOne's AI EDR Stops the ...

On March 31, 2026, a North Korean state actor hijacked the npm credentials of the primary Axios maintainer and published two backdoored releases that deployed a cross-platform remote access trojan (RAT) to Windows, macOS, and Linux systems. Axios is the most widely used HTTP client in the JavaScript ecosystem, with approximately 100 million weekly downloads and a presence in roughly 80% of cloud and code environments.

Pulse ID: 69cf03e05f6b299dc3efd2cd
Pulse Link: https://otx.alienvault.com/pulse/69cf03e05f6b299dc3efd2cd
Pulse Author: AlienVault
Created: 2026-04-03 00:03:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CyberSecurity #EDR #HTTP #InfoSec #Java #JavaScript #Korea #Linux #Mac #MacOS #NPM #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SentinelOne #SupplyChain #Trojan #Windows #bot #iOS #AlienVault

Re: Axios remote access trojan (RAT)

https://github.com/axios/axios/issues/10636

Luckily I don't use npm much (only #Indiekit) and it wasn't the malicious v1.14.1 or v0.30.4, it was v1.13.2.

Check with `npm list axios` in your /node_modules folder. I also ran `find ~ -type d -path "*/node_modules/plain-crypto-js" 2>/dev/null` to see if the RAT is found any where on my Mac. 🤞Luckily nothing. Scary! Read the full post mortem report above!

@paulrobertlloyd

#RemoteAccessTrojan #trojan #hack #virus #npm #axios

Inside the Axios supply chain compromise - one RAT to rule them all

Elastic Security Labs identified a supply chain compromise of the axios npm package, one of the most depended-upon packages in the JavaScript ecosystem with approximately 100 million weekly downloads. The attacker compromised a maintainer account and published backdoored versions that delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems through a malicious postinstall hook.

Pulse ID: 69cd1c2e48c8aeef1f743d7f
Pulse Link: https://otx.alienvault.com/pulse/69cd1c2e48c8aeef1f743d7f
Pulse Author: AlienVault
Created: 2026-04-01 13:22:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #ElasticSecurityLabs #InfoSec #Java #JavaScript #Linux #Mac #MacOS #NPM #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SupplyChain #Trojan #Windows #bot #iOS #AlienVault

Axios NPM Distribution Compromised in Supply Chain Attack

An unknown threat actor compromised the npm account of an axios maintainer, publishing two malicious versions of the package. These versions introduced a dependency on plain-crypto-js, a newly created malicious package. Despite quick removal, axios's widespread usage led to rapid exposure. The malicious package includes a dropper that downloads and executes platform-specific second-stage payloads, functioning as remote access trojans. These payloads can execute remote shells, inject binaries, browse directories, list processes, and perform system reconnaissance. Organizations are advised to audit their environments, remove malicious artifacts, rotate exposed credentials, investigate potential compromise paths, and monitor for suspicious activity.

Pulse ID: 69cbb6559ec175684e1e7611
Pulse Link: https://otx.alienvault.com/pulse/69cbb6559ec175684e1e7611
Pulse Author: AlienVault
Created: 2026-03-31 11:56:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #RemoteAccessTrojan #SupplyChain #Trojan #bot #iOS #AlienVault

Axios versions 1.14.1 and 0.30.4 were compromised via a malicious npm dependency, deploying a cross-platform RAT on Windows, macOS, and Linux. Users must downgrade and rotate credentials to maintain control over their environments ⚠️

🔗 https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

#TechNews #Axios #npm #SupplyChainAttack #Attack #Hacking #Hackers #Cybersecurity #OpenSource #FOSS #RemoteAccessTrojan #Trojan #Malware #NodeJS #Security #DevSecOps #IT #Software #Privacy #RAT #Windows #Linux #macOS

CrySome RAT : An Advanced Persistent .NET Remote Access Trojan

Pulse ID: 69cca052ca3d74e35e1a8c15
Pulse Link: https://otx.alienvault.com/pulse/69cca052ca3d74e35e1a8c15
Pulse Author: Tr1sa111
Created: 2026-04-01 04:34:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #Tr1sa111

CrySome RAT : An Advanced Persistent .NET Remote Access Trojan

CrySome is a sophisticated .NET-based remote access trojan designed for persistent command-and-control operations. It features advanced persistence mechanisms, including recovery partition abuse and offline registry modification, allowing it to survive system resets. The malware incorporates an aggressive defense evasion module, disabling security products and blocking updates. Key capabilities include command execution, file operations, surveillance, credential theft, and hidden virtual desktop control. CrySome's modular architecture and structured packet-based protocol enable a wide range of remote operations. Its emphasis on stealth, resilience, and comprehensive system control makes it a significant threat for long-term covert access to compromised environments.

Pulse ID: 69cbf2e4685c6f31a7715a5f
Pulse Link: https://otx.alienvault.com/pulse/69cbf2e4685c6f31a7715a5f
Pulse Author: AlienVault
Created: 2026-03-31 16:14:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ESET #InfoSec #Malware #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #Trojan #bot #AlienVault

Supply-Chain Compromise of axios npm Package

A coordinated supply chain attack targeted the axios npm package, compromising two versions (1.14.1 and 0.30.4) by injecting a malicious dependency. The attack delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems. The compromise occurred through the lead maintainer's npm account, bypassing normal publishing workflows. The malicious payload performed system reconnaissance, established persistence on Windows, and provided remote access capabilities. The attack affected numerous organizations and potentially exposed sensitive credentials. Immediate mitigation steps include pinning to safe versions, removing malicious dependencies, rotating credentials, and blocking the command and control server.

Pulse ID: 69cbf7d7db7968b35905f4fe
Pulse Link: https://otx.alienvault.com/pulse/69cbf7d7db7968b35905f4fe
Pulse Author: AlienVault
Created: 2026-03-31 16:35:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Linux #Mac #MacOS #NPM #OTX #OpenThreatExchange #RemoteAccessTrojan #SupplyChain #Trojan #Windows #bot #iOS #AlienVault

#Axios is the most popular JavaScript HTTP client library with over 100 million weekly downloads. On March 30, 2026, StepSecurity identified two malicious versions of the widely used axios HTTP client library published to npm: [email protected] and [email protected]. The malicious versions inject a new dependency, [email protected], which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux… #Malware #Trojan #RemoteAccessTrojan

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

CrySome RAT : An Advanced Persistent .NET Remote Access Trojan - CYFIRMA

The CrySome RAT is an advanced, stealthy remote access trojan designed to survive system resets and evade detection, according to an analysis by security researchers at the Institute for Strategic Studies.

Pulse ID: 69cbc6158b16dc33d6f16b9b
Pulse Link: https://otx.alienvault.com/pulse/69cbc6158b16dc33d6f16b9b
Pulse Author: CyberHunter_NL
Created: 2026-03-31 13:03:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyFirma #CyberSecurity #ESET #InfoSec #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #bot #CyberHunter_NL