Headline: Axios supply-chain compromise drags crypto developers into cross-platform RAT attack — Slow Fog sounds the alarm
Blockchain security firm Slow Fog has warned crypto developers after attackers slipped a malicious dependency into recent axios releases, turning one of JavaScript’s most ubiquitous HTTP clients into a supply-chain weapon.
What happened
- Malicious axios releases (pulled as 1.14.1 and 0.3.4 during the attack window) added a fake package named plain-crypto-js as a new dependency. That package — published just minutes before the compromised axios release — contained an obfuscated postinstall script that installed a cross-platform remote access trojan (RAT) on Windows, macOS and Linux systems.
- Axios itself did not contain overt malicious code, but the injected dependency executed shell commands, dropped the RAT and attempted to erase traces, according to researchers at StepSecurity and Socket.
- The releases were pushed using stolen npm credentials belonging to axios primary maintainer “jasonsaayman,” allowing attackers to bypass the project’s usual GitHub release flow, security engineer Julian Harris noted on LinkedIn.
- npm has removed the malicious versions and reverted axios back to 1.14.0. But any environment that installed one of the compromised releases remains at risk until secrets are rotated and systems are rebuilt.
Why crypto projects are especially exposed
- Axios has more than 80 million weekly downloads on npm. Even a brief compromise can ripple through wallet backends, trading bots, exchanges and DeFi infrastructure that rely on Node.js.
- Prior npm supply-chain incidents have directly targeted crypto users — for example a 2025 campaign that silently swapped wallet addresses in widely used packages, and other malware families that have stolen private keys for Ethereum, XRP and Solana wallets.
- SlowMist estimates crypto hacks and frauds, including backdoored packages and AI-assisted supply-chain attacks, caused over $2.3 billion in losses in the first half of 2025.
Immediate remediation advice
Slow Fog and other researchers are urging developers and ops teams to:
- Downgrade axios to 1.14.0 (or otherwise pin to a known-good version).
- Audit dependency trees for plain-crypto-js or indicators like “openclaw.”
- Rotate any credentials or secrets used on machines/environments that installed the compromised versions.
- Perform host-level forensics for signs of RAT activity and rebuild affected systems where necessary — assume credentials touched by those environments are compromised.
Context
This incident is another reminder that npm’s massive reach makes JavaScript supply-chain attacks an attractive vector for adversaries targeting crypto infrastructure. Security teams should treat developer environments and CI pipelines as high-risk assets and enforce strict credential hygiene, dependency auditing and reproducible builds.
If you manage crypto infrastructure or developer workstations that may have pulled axios during the attack window, act now: audit, rotate secrets, investigate hosts and rebuild from trusted sources.
Read more AI-generated news on: undefined/news
