Attacker
Step 1
npm account takeover

Attacker hijacks the jasonsaayman npm account and changes its email from jasonsaayman@gmail.com to ifstap@proton.me.

Step 2
Publish malicious axios@1.14.1 and axios@0.30.4

1.14.1 published at 00:21 UTC, 0.30.4 at 01:00 UTC. Both add plain-crypto-js as a dependency:

+ "plain-crypto-js": "^4.2.1"

Victim
Step 3
Victim runs npm install axios

npm resolves plain-crypto-js@4.2.1. Its postinstall hook runs setup.js, which detects the OS and downloads a platform-specific payload.

● macOS
BinaryMach-O universal (C++)
DropperAppleScript
DisguiseFake Apple daemon name
PersistenceNone built-in
● Windows
PayloadPowerShell .ps1
DropperVBScript
DisguiseWindows Terminal
PersistenceRun key: MicrosoftUpdate
Bugswork() never called
● Linux
PayloadPython script
DropperDirect curl + nohup
DisguiseNone
PersistenceNone built-in
Bugsos.getlogin() crash + broken binary exec
Shared across all platforms
C2 protocol: sfrclak[.]com:8000

HTTP POST with base64-encoded JSON. Hardcoded IE8 User-Agent. 60-second beacon loop.

FirstInfoDirectory listings of ~, ~/Desktop, ~/Documents, ~/.config BaseInfoHostname, user, OS, timezone, CPU, process list (every 60s) killTerminate the RAT peinjectDrop and execute binary from base64 payload runscriptRun arbitrary shell, PowerShell, or Python code rundirEnumerate a remote directory
Datadog Security Labs