Millions of JS devs just got penetrated by a RAT…

TL;DR

Two malicious Axios versions on npm (100M weekly downloads) installed a RAT via a rogue dependency and post-install script to steal developer credentials.

Key Points

• 1.Axios was compromised via a supply-chain attack, not dirty source code. Two malicious versions were published to npm by an attacker who compromised the maintainer's npm account, publishing under a Proton Mail address instead of the normal GitHub Actions workflow.
• 2.The attack used a fake 'plain-crypto-js' package as a RAT dropper. It mimicked the legitimate crypto-js library, ran a post-install script, reached out to a command-and-control server, and downloaded an OS-specific second-stage payload to establish remote access.
• 3.The RAT actively covered its tracks to evade detection. After installation it deleted itself, removed the package.json post-install script entry, and cleaned up so that running 'npm audit' raised zero red flags.
• 4.Compromised machines risk exposure of AWS credentials, OpenAI API keys, and more. Developers should check for the 'plain-crypto-js' package in node_modules, run the provided OS-specific detection commands, immediately rotate all API keys, and follow Step Security's remediation guide.