Millions of JS devs just got penetrated by a RAT…

Name: Millions of JS devs just got penetrated by a RAT…
Uploaded: 2026-03-31T12:00:00.000000Z
Description: Fireship breaks down a sophisticated supply chain RAT attack discovered in Axios, the 100M+ weekly download npm library, on March 31 2026. Malicious versions of Axios on npm contained a RAT dropper vi…

Mar 31, 2026 · video · Source ↗

Summary based on the YouTube transcript and episode description.

Fireship breaks down a sophisticated supply chain RAT attack discovered in Axios, the 100M+ weekly download npm library, on March 31 2026.

Malicious versions of Axios on npm contained a RAT dropper via a rogue dependency, not modified source code.
Attacker compromised the Axios maintainer’s npm account and published under a ProtonMail address, bypassing normal GitHub Actions release flow.
The attack injected a fake plain-crypto-js package mimicking legitimate crypto-js, with a post-install script that fetched a second-stage payload from a C2 server.
The RAT is OS-aware: it detects the system, pulls a tailored payload, establishes remote access, then self-deletes to evade npm audit.
Compromised machines expose AWS credentials, OpenAI API keys, and all file system secrets to the attacker.
The two affected Axios versions can be checked in package.json; presence of plain-crypto-js in node_modules confirms exposure.
Simply deleting the RAT is insufficient — all API keys and tokens must be rotated immediately per StepSecurity’s incident guide.

2026-03-31 · Watch on YouTube