Lead Story | Critical | Enterprise · Cloud+DevOps |
|
Axios — Used in Hundreds of Millions of Builds a Month — Was Quietly Delivering a RAT
On March 30, an attacker hijacked the npm account of axios’s lead maintainer and published two malicious versions of the library. The payload called home within two seconds of install, then deleted itself to avoid detection. If any of your pipelines ran npm install between March 30 and March 31, read this before you do anything else.
Axios is the most widely used HTTP client library in the JavaScript ecosystem, with over 100 million weekly downloads. On March 30, a threat actor compromised the npm account of jasonsaayman — the library’s primary maintainer — and published two new versions: [email protected] and [email protected]. Both versions introduced a previously unknown dependency, [email protected], which served no legitimate function in the codebase. Its only purpose was to execute a postinstall script that reached out to a command-and-control server at sfrclak[.]com and retrieved platform-specific second-stage payloads targeting macOS, Windows, and Linux.
The attack was technically sophisticated and operationally patient. The malicious plain-crypto-js package was seeded to npm approximately 18 hours before the poisoned axios releases went live — timed specifically to avoid triggering “brand-new dependency” alerts from automated security scanners. The C2 connection was established in under two seconds of the install completing — before most package managers had even finished writing to disk. After delivering its payload, it deleted itself and replaced its own package.json with a clean copy to minimize forensic trace in the node_modules directory.
Socket.dev and StepSecurity identified the malicious versions on March 31. npm removed the affected packages from the registry and the maintainer account has been recovered. Two downstream packages were also confirmed to carry the same payload: @shadanai/openclaw and @qqbrowser/openclaw-qbot. The exposure window runs from approximately March 30 through March 31. Any CI/CD pipeline, Docker build, or developer workstation that ran npm install in that window on a project depending on axios needs to be treated as potentially compromised.
→ Key Takeaway Check your pipelines now. Downgrade to [email protected] or [email protected]. Audit CI/CD logs for any run that installed 1.14.1 or 0.30.4 between March 30–31. Remove plain-crypto-js from node_modules. Block egress to sfrclak[.]com. If the RAT was deployed, assume the system is compromised and rotate all credentials accessible from that environment. |
Quick Hits
| 01 |
ShinyHunters Breached the European Commission and Stole the Keys to Forge Its Emails
ShinyHunters claimed responsibility for a breach of the European Commission’s cloud infrastructure, detected March 24 and confirmed by the EC on March 30. The group claims to have exfiltrated 350GB of data including the SSO user directory, DKIM signing keys, AWS configuration snapshots, and internal admin URLs. The DKIM keys are the most dangerous element: they allow the holder to forge emails that pass DMARC and DKIM authentication from EU Commission domains, creating a ready-made spear-phishing apparatus against EU member states, partner governments, and any organization that routinely receives official correspondence from European institutions. The EC stated that no websites were disrupted and containment measures were taken. This is the second EC breach of 2026. BleepingComputer →
| High | Enterprise · Government |
|
| 02 |
F5 BIG-IP APM Pre-Auth RCE — The Federal Remediation Deadline Was Yesterday
CVE-2025-53521 was reclassified from denial-of-service to pre-authentication remote code execution in March 2026 after active exploitation was confirmed. CISA added it to the Known Exploited Vulnerabilities catalog on March 27 with a federal remediation deadline of March 30 — yesterday. Organizations running BIG-IP APM versions 15.1.0–15.1.10, 16.1.0–16.1.6, 17.1.0–17.1.2, or 17.5.0–17.5.1 that have not yet applied patches are running an unauthenticated remote code execution vulnerability on the system that controls access to every application it protects. CVSS 9.8. Patches are available across all affected version branches. F5 Security Advisory →
| Critical | Enterprise · Cloud+DevOps |
|
CVE Watch
|
Patch of the Day
Fortinet FortiClient EMS — Pre-Auth SQL Injection, Active Exploitation Since March 26
CVE-2026-21643 is a pre-authentication SQL injection vulnerability in Fortinet FortiClient Endpoint Management Server (EMS) version 7.4.4 running in multi-tenant mode. Attackers exploit it by injecting malicious SQL commands through the Site HTTP header of standard requests — a single crafted request is sufficient to execute arbitrary SQL against the underlying PostgreSQL database. Successful exploitation gives attackers access to admin credentials, endpoint inventory, security policies, and certificates for all managed endpoints. Bishop Fox published technical details on March 26; active exploitation followed the same day. Approximately 1,000 FortiClient EMS instances are currently internet-exposed per Shodan. Upgrade to FortiClient EMS 7.4.5 immediately if you are running 7.4.4 in multi-tenant mode. Single-site deployments are not affected.
| Vendor: Fortinet · Affected: FortiClient EMS 7.4.4 (multi-tenant) · Patched: 7.4.5 · Exploited: Confirmed (Mar 26) |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — PR.SC — Protect: Supply Chain Risk Management
The Axios Attack Is What a Compromised Build Dependency Looks Like at Scale
PR.SC-06 requires organizations to respond to and recover from supply chain cyber incidents. The axios compromise demonstrates exactly why this control exists. A single compromised npm maintainer account — credentials, not exploited code — was sufficient to poison over 100 million weekly installs. The malware ran before most teams had finished their morning coffee. PR.SC asks: do you know what packages are actually executing during your builds? Do you have a process to detect when a legitimate, trusted package is weaponized? Action: Enforce npm ci (not npm install) in all CI/CD pipelines to pin against your lockfile. Implement a software composition analysis tool that flags behavioral anomalies in postinstall scripts, not just known-bad hashes. Audit which packages in your dependency tree execute postinstall hooks — and whether any of them need to.
|
|
HARDENED | This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is reviewed by humans before publication. If you spot an error, reply directly — we correct the record promptly. Sources: StepSecurity (axios compromise, March 31, 2026) · Socket.dev (axios supply chain attack) · The Hacker News (axios RAT, March 31, 2026) · Snyk (axios npm compromise) · BleepingComputer (European Commission breach, March 30, 2026) · The Record (ShinyHunters EC claim) · F5 Security Advisory CVE-2025-53521, f5.com · CISA KEV catalog, cisa.gov/kev · Bishop Fox blog (CVE-2026-21643, March 26, 2026) · BleepingComputer (FortiClient EMS exploitation) · NIST CSF 2.0, nist.gov/cyberframework |
|
