Overview
On March 31, 2026 (at 00:21 UTC for v1.14.1 and 01:00 UTC for v0.30.4), an unknown threat actor compromised the npm account of an axios maintainer and published two malicious versions of the npm package (v1.14.1, v0.30.4), which introduced a dependency on plain-crypto-js, a newly created malicious package. Although the malicious versions were removed within a few hours, axios’s widespread usage - present in ~80% of cloud and code environments and downloaded ~100 million times per week - enabled rapid exposure, with observed execution in 3% of affected environments. Organizations are strongly advised to audit their environments for potential execution of these versions (tracked as GHSA-fw8c-xr5c-95f9 and MAL-2026-2306).
Technical Details
The malicious versions of axios differed from legitimate releases by including a dependency on plain-crypto-js, a trojanized package. These versions were published directly via a compromised maintainer account and later removed from npm following disclosure. Due to the short exposure window but high prevalence of axios, even limited availability resulted in measurable execution across environments.
The malicious package includes a dropper (setup.js) that downloads and executes platform-specific second-stage payloads from sfrclak.com:8000, and then self-cleans by deleting itself and restoring a clean package.json. The second-stage payloads function as lightweight remote access trojans (RATs) and beacon to the C2 server every 60 seconds, transmitting system inventory and awaiting commands.
All three variants implement similar capabilities, including remote shell execution, binary injection, directory browsing, process listing, and system reconnaissance, while differing by operating system. On macOS, the payload is a C++ compiled Mach-O universal binary, and is capable of self-signing injected payloads via codesign. On Windows, the payload is a PowerShell script that establishes persistence via a registry Run key (MicrosoftUpdate) and a re-download batch file. On Linux, the payload is delivered as a Python script.
Which actions should security teams take?
Audit axios usage: Identify whether the affected versions (
1.14.1,0.30.4) were downloaded or executed in your environment. Immediately remove any malicious artifacts from endpoints, build systems, and production workloads.Rotate exposed credentials: If there is any indication that the malicious packages were executed, assume credential compromise. Scan affected systems for secrets (e.g., environment variables, API keys, tokens) and rotate them accordingly.
Investigate potential compromise paths: Review build pipelines and developer machines for signs of unauthorized access or persistence, as the malware executes during installation and may enable upstream supply chain compromise.
Monitor for suspicious activity: Detect and investigate outbound connections to sfrclak.com:8000, and analyze logs for beaconing behavior, anomalous HTTP POST requests, or unexpected process execution related to package installation.
How can Wiz help?
Wiz customers can refer to the advisory in the Wiz Threat Center for ongoing guidance, pre-built queries, and references to relevant detections they can use to assess the risk in their environment and detect the presence of the malicious package or past executions.
Worried you’ve been impacted? Connect with the Wiz Incident Response team.
References
Appendix - Indicators of compromise (IOCs)
| Category | Indicator | Details | Hash |
|---|---|---|---|
| Compromised package | axios-0.30.4.tgz | Stage 1, npm package | SHA256: 59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f |
| Compromised package | axios-1.14.1.tgz | Stage 1, npm package | SHA256: 5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd |
| Malicious package | plain-crypto-js-4.2.1.tgz | Stage 1.5, trojanized npm package | SHA256: 58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668 |
| File | com.apple.act.mond | Stage 2 (macOS), Mach-O binary | SHA256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a |
| File | stage2.ps1 | Stage 2 (Windows), PowerShell script | SHA256: 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 |
| File | ld.py | Stage 2 (Linux), Python script | SHA256: fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf |
| Domain | sfrclak[.]com | C2 domain | - |
| IP | 142.11.206[.]73 | C2 IP | - |
| Network | Port 8000 | C2 port | - |
| Network | /6202033 | Campaign path | - |
| File Path | /Library/Caches/com.apple.act.mond | macOS persistence path | - |
| File Path | %PROGRAMDATA%\wt.exe | Windows artifact | - |
| File Path | %TEMP%\6202033.vbs | Windows script | - |
| File Path | %TEMP%\6202033.ps1 | Windows script | - |
| File Path | /tmp/ld.py | Linux script | - |
| Package | @shadanai/openclaw | Versions: 2026.3.28-2; 2026.3.28-3; 2026.3.31-1; 2026.3.31-2 | - |
| Package | @qqbrowser/openclaw-qbot | Version: 0.0.130 | - |
| Account | npm:jasonsaayman | Compromised maintainer (email changed to ifstap@proton.me) | - |
| Account | npm:nrwise | Published plain-crypto-js (nrwise@proton.me) | - |
