Research · March 31, 2026

Axios npm Compromise: Lazarus Group Deploys Cross-Platform RAT

The axios npm package was compromised via maintainer account hijack. Malicious versions deploy a cross-platform RAT attributed to Lazarus Group (DPRK/APT38). We publish 33 new LMD signatures covering all artifacts and C2 infrastructure.

Read the Research All Research

Threat Advisory

Lazarus Group (DPRK/APT38) attribution

50M+ weekly downloads, 3-hour attack window

33 new LMD signatures (hash + hex + compound)

Full IOCs, MITRE ATT&CK, and remediation

maldetmalwaresupply-chainnpmlazarusapt38

Active Servers (30d)

363.3k

Requests (30d)

35.92M

GitHub

2,103

Deployed across government, defense, education & enterprise networks

govNISTgovNOAAgovNIHgovUNAMdefenseNATO CCDCOEeduStanford UniversityeduHarvard UniversityeduNational Taiwan UniversityeduCity University of New YorkresearchDFNresearchRENATERresearchJANETresearchSURFnetresearchRedIRISresearchGARRresearchUNINETTresearchSWITCHenterpriseAmazon Web ServicesenterpriseMicrosoftenterpriseGoogleenterpriseDeutsche TelekomenterpriseVodafoneenterpriseTelefonicaenterpriseOrangeenterpriseCogententerpriseIONOShostingLiquid WebhostingVultrhostingDigitalOceanhostingHetznerhostingOVHhostingNexcesshostingContabohostingLeasewebhostingBluehostgovNISTgovNOAAgovNIHgovUNAMdefenseNATO CCDCOEeduStanford UniversityeduHarvard UniversityeduNational Taiwan UniversityeduCity University of New YorkresearchDFNresearchRENATERresearchJANETresearchSURFnetresearchRedIRISresearchGARRresearchUNINETTresearchSWITCHenterpriseAmazon Web ServicesenterpriseMicrosoftenterpriseGoogleenterpriseDeutsche TelekomenterpriseVodafoneenterpriseTelefonicaenterpriseOrangeenterpriseCogententerpriseIONOShostingLiquid WebhostingVultrhostingDigitalOceanhostingHetznerhostingOVHhostingNexcesshostingContabohostingLeasewebhostingBluehost

$git clone https://github.com/rfxn/linux-malware-detect.git && cd linux-malware-detect && ./install.sh

Recent GitHub Activity

View all

linux-malware-detect6h ago

Pushed to linux-malware-detect: pushed commits

Push

brute-force-detection8h ago

Pushed to brute-force-detection: pushed commits

Push

advanced-policy-firewall8h ago

Pushed to advanced-policy-firewall: pushed commits

Push

batsman8h ago

Pushed to batsman: pushed commits

Push

Featured Projects

View all

LMDv1.6.6.1

1,381

Linux Malware Detect

A high-performance malware scanner for Linux designed for the multi-core era. v2.0.1 introduces a foundational engine leap that delivers up to 10x faster performance than traditional scanners via hash-first short-circuiting and batch-parallel processing.

Learn more

APFv2.0.1

101

Advanced Policy Firewall

An iptables(netfilter) based firewall system for Linux servers. Provides three-fold filtering with static rules, stateful connection tracking, and sanity-based packet inspection.

Learn more

BFDv1.5

Brute Force Detection

A modular shell script for parsing application logs and detecting authentication failures. Uses regex rules and integrates with APF, Shorewall, or raw iptables for blocking.

Learn more

Quick Start

Get up and running in minutes. All tools install from source with a single command.

LMDLinux Malware Detect

bash

$ git clone https://github.com/rfxn/linux-malware-detect.git && cd linux-malware-detect && ./install.sh

APFAdvanced Policy Firewall

bash

$ git clone https://github.com/rfxn/advanced-policy-firewall.git && cd advanced-policy-firewall && ./install.sh

BFDBrute Force Detection

bash

$ git clone https://github.com/rfxn/brute-force-detection.git && cd brute-force-detection && ./install.sh

Built for Real-World Linux Security

Threat-Driven Design

Built from real malware data collected at the network edge. Every detection signature comes from active threats seen in production hosting environments, not theoretical research.

Shell-Native & Lightweight

Pure bash with minimal dependencies. No agents, no daemons eating resources, no runtime interpreters. Runs on any Linux system from embedded devices to enterprise servers.

Community-Sustained

20+ years of open source development under GPL v2. No venture funding, no enterprise upsells. Sustained by the community of sysadmins who rely on these tools daily.

Protection Stack

Three tools, one defense-in-depth strategy. Layer them together for comprehensive Linux security.

Layer 1

Malware Detection

LMD

Scan & quarantine threats from real hosting threat data

Layer 2

Firewall Policy

APF

Stateful iptables filtering with reactive address blocking

Layer 3

Intrusion Prevention

BFD

Block brute-force auth attacks with modular log parsing

Connect

About

@rfxn

Linux security, open source, and systems engineering

rfxn

Open source projects and contributions

Ryan MacDonald

SVP/CTO at Liquid Web

rfxn

Identity verification and encrypted messaging

Contact

Security reports and project inquiries

Support Open Source Security

R-fx Networks projects are entirely community-funded. If these tools help protect your infrastructure, consider contributing.

Support the Project Star on GitHub