Security: Axios Supply-Chain Attack Scanner

Mission

Scan the entire Mac for the axios npm supply-chain compromise (2026-03-31). Check package.json and all lock files (package-lock.json, yarn.lock, pnpm-lock.yaml). Detect anti-forensics (dropper self-cleanup), related campaign packages, and verify RAT SHA256. Produce a full HTML threat report and open it automatically.

Background

On 2026-03-31, axios versions 1.14.1 and 0.30.4 were published via a compromised maintainer account (jasonsaayman, email changed to ifstap@proton.me) with an injected dependency plain-crypto-js@4.2.1. Its postinstall hook (setup.js) deployed a cross-platform RAT that beacons to sfrclak[.]com:8000 every 60 seconds. On macOS the RAT binary is /Library/Caches/com.apple.act.mond. The dropper self-destructs after execution: setup.js is deleted and package.json is replaced with a clean stub reporting version 4.2.0 — so post-infection node_modules inspection will NOT reveal the malicious manifest. The directory presence of node_modules/plain-crypto-js/ alone confirms the dropper ran.