Axios npm Compromise: Lazarus Group Deploys Cross-Platform RAT

On March 31, 2026, the axios npm package, with over 50 million weekly downloads, was compromised via a maintainer account hijack. Two malicious versions (1.14.1 and 0.30.4) were published between 00:21 and 03:29 UTC, injecting a dependency on plain-crypto-js, an obfuscated postinstall dropper that delivers a cross-platform remote access trojan targeting Windows, macOS, and Linux.

The macOS payload is classified as NukeSped by four antivirus engines. NukeSped is a backdoor family attributed to Lazarus Group (DPRK/APT38), the same threat actor behind the 2022 Ronin Bridge theft ($625M), the 2024 WazirX exchange hack ($230M), and the February 2025 Bybit theft ($1.4B). This marks Lazarus's first confirmed compromise of a top-100 npm package.

axios sits in the dependency tree of an estimated 12 million GitHub repositories and is a transitive dependency of most Node.js web frameworks. A compromised version propagates through CI/CD pipelines, automated dependency updates (Dependabot, Renovate), and developer workstations within minutes of publication.

The compromise was first reported by the community around 02:00 UTC and the malicious versions were unpublished by 03:29 UTC. StepSecurity, Socket, Snyk, and Semgrep published early analyses confirming the scope, while N3mes1s released a detailed reverse engineering of the dropper with YARA, Sigma, and Suricata rules.

This post builds on that collective work with a focus on the full attack chain from npm registry to RAT deployment, the XOR obfuscation scheme used in the dropper, all three platform-specific payloads, the C2 infrastructure, and the 33 maldet signatures we published for detection.

The Attack

The attacker compromised the npm account of jasonsaayman, a legitimate axios maintainer. The compromise vector is consistent with credential theft via social engineering or infostealer malware, a technique Lazarus has refined across previous DeceptiveDevelopment campaigns targeting open-source maintainers. A second account, nrwise (email: nrwise@proton.me), was created to publish the malicious dependency. The attack targeted two version branches simultaneously to maximize coverage across pinned and floating dependency ranges.

The three-hour window between publication and removal is consistent with Lazarus Group's previous npm campaigns (e.g., the 2023 crypto-dashboard-helper incident), where a short burst window captures installs from CI/CD pipelines running on schedules, automated dependency updates, and developers working across time zones. Publishing to both the 1.x and 0.x branches was deliberate: projects pinning to legacy 0.x releases (common in enterprise codebases with conservative upgrade policies) were hit alongside those tracking the latest.

Attack Chain

The kill chain flows from npm registry to platform-specific RAT deployment in four stages. The dropper uses XOR obfuscation with a deterministic key to evade static analysis, then branches by OS to download the appropriate payload from the C2 server.

The Dropper

The plain-crypto-js package contains a single file, setup.js, registered as a postinstall script. npm executes postinstall hooks automatically after npm install with no user interaction required. npm does not sandbox lifecycle scripts; they execute with the installing user's full permissions.

The payload is obfuscated with a deterministic XOR cipher. Every character is transformed through a formula that uses the position index to select a key byte, making the output deterministic (the same input always produces the same ciphertext):

// Deobfuscation formula (from setup.js)
const key = "OrDeR_7077";
const constant = 333;

function decode(encoded, r) {
  return String.fromCharCode(
    encoded.charCodeAt(0) ^ key.charCodeAt((7 * r * r) % 10) ^ constant
  );
}

Because the XOR key (OrDeR_7077) and constant (333) are embedded as string literals, the obfuscated output has stable byte sequences suitable for hex pattern matching. The decoded payload performs OS detection and fetches the platform-specific RAT from one of three C2 endpoints.

The C2 URI path /packages.npm.org/ is deliberately crafted to resemble legitimate npm infrastructure in proxy logs, blending with normal package resolution traffic.

Platform Payloads

Windows: Staged RAT via Renamed PowerShell

The Windows payload uses a two-stage approach. Stage 1 (system.bat) drops to C:\ProgramData\, copies powershell.exe to wt.exe (LOLBin evasion), then downloads the PowerShell RAT as Stage 2.

Persistence is achieved via registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate, with campaign artifacts using the ID 6202033 as a naming convention across temporary VBS and PS1 files.

macOS: NukeSped Universal BinaryAPT38

The macOS payload is a fat Mach-O binary containing both x86_64 and ARM64 slices, classified as NukeSped by four antivirus engines. Build metadata reveals the Xcode project name macWebT, developer path Jain_DEV, and a .NET embedded class Extension.SubRoutine.

Persistence is achieved by masquerading as a macOS system daemon at /Library/Caches/com.apple.act.mond, a deliberately crafted name within Apple's namespace designed to blend with legitimate LaunchDaemon entries.

Linux: Python RAT

The Linux payload is a Python script dropped to /tmp/ld.py that provides full remote access via subprocess execution. It beacons to the C2 with JSON payloads containing three message types: FirstInfo (initial host fingerprint), BaseInfo (system metadata), and CmdResult (command output). All beacons are base64-encoded in HTTP POST bodies, using a spoofed IE8 User-Agent string.

C2 Infrastructure

Both C2 domains were registered less than 15 hours before the attack, hosted on a single IP address at Hostwinds (Seattle, WA). The server uses cleartext HTTP on port 8000 with no TLS, suggesting rapid deployment infrastructure intended for short-lived campaigns.

The C2 beacon uses a distinctive Internet Explorer 8 User-Agent string, a known Lazarus Group fingerprint also observed in previous DeceptiveDevelopment campaigns. All beacon payloads are base64-encoded JSON with type prefixes that produce stable, signaturable byte sequences.

maldet Signatures

We published 33 signatures across four detection layers, providing exact-match coverage for all known artifacts and behavioral detection that survives repackaging and minor code changes. All signatures passed false positive testing against 166,059 benign files across three engines ( ClamAV, YARA, maldet).

Hash Signatures (22)

Exact-match detection for all known artifacts. SHA256 entries cover all 16 verified hashes; MD5 entries cover the 6 artifacts with confirmed MD5 values.

Hex Pattern Signatures (4)

Single-pattern rules targeting campaign-specific strings that are unique enough to stand alone without false positive risk.

Compound Signatures (7)

Boolean AND/OR rules that detect behavioral patterns even when exact hashes change. Each rule requires multiple campaign-specific indicators to be present in the same file, eliminating false positive risk from individual string matches.

Detection & Remediation

If you installed or built with axios between 00:21 and 03:29 UTC on March 31, 2026, check your lockfiles and scan your systems:

1. Check Lockfiles

# Search for compromised versions in lockfiles
grep -r '"axios": "1.14.1\|"axios": "0.30.4\|plain-crypto-js' \
  package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null

# Check npm cache for malicious packages
find ~/.npm/_cacache -name "*.tgz" -newer /tmp/marker 2>/dev/null | \
  xargs -I{} sha256sum {} | \
  grep -E '5bb67e88|59336a96|58401c19'

2. Scan with maldet

# Update maldet signatures (includes all 33 new rules)
maldet -u

# Scan node_modules and temp directories
maldet -a /path/to/project/node_modules /tmp

# Scan CI/CD build directories
maldet -a /home/*/builds /var/lib/jenkins

3. Check for RAT Artifacts

# Linux RAT
ls -la /tmp/ld.py

# macOS persistence
ls -la /Library/Caches/com.apple.act.mond
launchctl list | grep act.mond

# Windows (PowerShell)
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' |
  Select-String 'MicrosoftUpdate'
Test-Path 'C:\ProgramData\system.bat'
Test-Path 'C:\ProgramData\wt.exe'

4. Network IOCs

# Search proxy/firewall logs for C2 domains
grep -E 'sfrclak\.com|callnrwise\.com' /var/log/squid/*.log
grep -E '142\.11\.206\.73' /var/log/nginx/access.log

# Search for C2 beacon User-Agent
grep 'msie 8.0.*windows nt 5.1.*trident/4.0' /var/log/*/access*.log

5. Remediate

IOCs

File Hashes

Network Indicators

File System Artifacts

MITRE ATT&CK

Conclusion

The axios compromise represents an escalation in npm supply chain attacks: a nation-state actor (Lazarus Group) targeting one of the most depended-upon packages in the JavaScript ecosystem with a cross-platform RAT deployment capability. The three-hour window was enough to reach CI/CD pipelines, build servers, and developer workstations across all three major operating systems.

The attack pattern (maintainer account hijack, malicious dependency injection via postinstall hook, XOR-obfuscated dropper, platform-specific payload delivery) is reusable against any npm package. The defense layers that matter:

All 33 maldet signatures are available in the current signature update. Run maldet --update-sigs to pull the latest definitions.

References

Incident Analysis

Threat Actor Attribution

Tooling and Detection

npm Security