← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Axios Package Hijacked to Execute Remote Access Attacks
WHITE CODERED_VTA 2026-03-31 Modified: 2026-03-31
25
IOCs
MEDIUM VOLUME
A popular HTTP client library, axios, has been compromised by an attacker who published two malicious versions of the library on the npm platform.. and then published them on its own GitHub Actions.
windowsgithub actionslinuxc2 urlhardenrunnerstepsecuritycicdpost bodyvbscriptc2 postmaliciouspowershellverifymacoscopywriteinstalllinux pythonkicspython
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Linux Python KICS Python
Indicators of Compromise (25)
All FileHash-SHA1 IPv4 URL domain email hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 07d889e2dadce6f3910dcbc253317d28ca61c766 2026-03-31
FileHash-SHA1 2553649f2322049666871cea80a5d0d6adc700ca 2026-03-31
FileHash-SHA1 7c29f4cf2ea91ef05018d5aa5399bf23ed3120eb 2026-03-31
FileHash-SHA1 ab1be887a2d37dd9ebc219657704180faf2c4920 2026-03-31
FileHash-SHA1 d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71 2026-03-31
IPv4 142.11.206.73 CC=US ASN=AS54290 hostwinds llc. 2026-03-31
URL http://Linuxpackages.npm.org/product2 2026-03-31
URL http://Windowspackages.npm.org/product1 2026-03-31
URL http://macOSpackages.npm.org/product0 2026-03-31
URL http://packages.npm.org/ 2026-03-31
URL http://packages.npm.org/product0 2026-03-31
URL http://packages.npm.org/product1 2026-03-31
URL http://packages.npm.org/product2 2026-03-31
URL http://sfrclak.com:8000 2026-03-31
URL http://sfrclak.com:8000/ 2026-03-31
URL http://sfrclak.com:8000/6202033 2026-03-31
domain domainsfrclak.com 2026-03-31
domain package.md 2026-03-31
domain sfrclak.com 2026-03-31
email ifstap@proton.me 2026-03-31
email nrwise@proton.me 2026-03-31
hostname linuxpackages.npm.org 2026-03-31
hostname macospackages.npm.org 2026-03-31
hostname packages.npm.org 2026-03-31
hostname windowspackages.npm.org 2026-03-31
References (1)
↗ https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan