Axios

Unit 42 details a widespread npm supply-chain attack in which attackers hijacked an Axios maintainer account and released compromised Axios versions that inject a malicious dependency (plain-crypto-js). The dependency uses npm postinstall hooks to run an obfuscated dropper that retrieves platform-specific RAT payloads for macOS, Windows and Linux, establishes persistence, beacons to C2 (sfrclak.com:8000), and performs anti-forensic cleanup; the brief provides IoCs (hashes, domains, IP, file paths), detection queries, affected sectors, mitigation advice, and product protections.