Axios npm Supply Chain Attack Delivers Cross-Platform RAT, CISA Orders Emergency Citrix Patching, Silver Fox Deploys AtlasCross RAT, Fortinet EMS Exploitation Begins
The massively popular Axios npm package (83M+ weekly downloads) is compromised via a hijacked maintainer account, delivering a cross-platform RAT targeting Windows, macOS, and Linux. CISA issues an emergency directive ordering federal agencies to patch actively exploited Citrix NetScaler CVE-2026-3055 by Thursday. Chinese APT Silver Fox expands across Asia with a new AtlasCross RAT delivered via typosquatted domains. Fortinet FortiClient EMS critical SQL injection flaw exploitation begins in the wild. Dutch Finance Ministry takes treasury banking portal offline as breach investigation expands.
1. Axios npm Supply Chain Attack — Cross-Platform RAT Hits 83M Weekly Downloads
⚠ CRITICAL — Active Supply Chain Compromise
Axios versions 1.14.1 and 0.30.4 contain a malicious dependency that drops a cross-platform RAT targeting Windows, macOS, and Linux. The attack was executed via compromised npm credentials of the primary maintainer. Immediate downgrade and secret rotation required.
The Axios HTTP client library — one of the most widely used packages in the JavaScript ecosystem with over 83 million weekly downloads — has suffered a sophisticated supply chain attack. Two malicious versions (1.14.1 and 0.30.4) were published to npm using the compromised credentials of primary maintainer "jasonsaayman."
Attack Mechanics
The attacker injected a fake dependency called "plain-crypto-js" (version 4.2.1), whose sole purpose is to execute a postinstall script acting as a cross-platform RAT dropper. The malware contacts a live C2 server and delivers platform-specific second-stage payloads for macOS, Windows, and Linux. After execution, it self-destructs and replaces its own package.json with a clean version to evade forensic detection.
Precise Attack Timeline
- March 30, 05:57 UTC — Clean "plain-crypto-js@4.2.0" published as staging
- March 30, 23:59 UTC — Malicious "plain-crypto-js@4.2.1" with payload published
- March 31, 00:21 UTC — Compromised "axios@1.14.1" published via hijacked account
- March 31, 01:00 UTC — Compromised "axios@0.30.4" published (39 minutes later)
StepSecurity researcher Ashish Kurmi emphasized: "This was not opportunistic. The malicious dependency was staged 18 hours in advance. Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct."
Immediate Actions Required
- Downgrade immediately to Axios 1.14.0 or 0.30.3
- Rotate all secrets and credentials on affected systems
- Audit CI/CD pipelines for any builds using compromised versions
- Check for indicators of C2 communication from build/production environments
- The malicious versions and "plain-crypto-js" have been removed from npm
2. CISA Orders Emergency Citrix NetScaler Patching — CVE-2026-3055 Actively Exploited
⚠ CRITICAL — Emergency Federal Directive with Thursday Deadline
CISA has added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog and ordered all federal agencies to patch Citrix NetScaler appliances by April 2. The flaw is technically similar to the devastating CitrixBleed vulnerabilities and is already being exploited to steal admin session IDs.
CISA has issued an emergency patching directive after adding Citrix NetScaler vulnerability CVE-2026-3055 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch agencies must secure all vulnerable appliances by Thursday, April 2, under BOD 22-01.
Technical Details
The vulnerability stems from insufficient input validation in Citrix ADC and Citrix Gateway appliances configured as SAML identity providers (IDPs). Unauthenticated remote attackers can exploit it to leak sensitive application memory, including admin authentication session IDs — potentially enabling full appliance takeover.
Cybersecurity firm Watchtowr confirmed active exploitation began days after Citrix released patches on March 23, with attackers targeting the same memory-leak class of bugs that made CitrixBleed and CitrixBleed2 so devastating.
Exposure Scale
- ~30,000 NetScaler ADC appliances tracked by Shadowserver
- 2,300+ Gateway instances exposed online
- Resembles CitrixBleed (CVE-2023-4966) attack pattern
- Patch released March 23 — exploitation confirmed within days
- All organizations using NetScaler as SAML IDP should patch immediately
3. Silver Fox APT Deploys AtlasCross RAT via Typosquatted Domains
🔶 HIGH — New RAT in Chinese APT Arsenal
Chinese cybercrime group Silver Fox has deployed a previously undocumented AtlasCross RAT via 11+ typosquatted domains impersonating Surfshark, Signal, Telegram, Zoom, and Microsoft Teams.
Chinese-speaking users are being targeted by Silver Fox (also tracked as SwimSnake, Valley Thief, UTG-Q-1000, and Void Arachne) in an active campaign using typosquatted domains impersonating trusted software brands. The campaign delivers a previously undocumented remote access trojan named AtlasCross RAT.
Campaign Infrastructure
German cybersecurity firm Hexastrike identified 11 confirmed delivery domains covering:
- VPN clients — Surfshark VPN impersonation
- Encrypted messengers — Signal, Telegram fake sites
- Video conferencing — Zoom, Microsoft Teams lookalikes
- Cryptocurrency trackers and e-commerce applications
Technical Evolution
AtlasCross RAT represents a significant evolution from Silver Fox's previous arsenal of Gh0st RAT derivatives (ValleyRAT/Winos 4.0, Gh0stCringe, HoldingHands RAT). The attack chain uses bogus websites to deliver ZIP archives containing a trojanized Autodesk binary that launches a shellcode loader, extracting C2 details from an embedded Gh0st RAT configuration and downloading second-stage payloads over TCP port 9899.
Defensive Recommendations
- Block known Silver Fox C2 domains, particularly "bifa668[.]com"
- Validate software download sources — use only official vendor sites
- Monitor for unexpected Autodesk binary execution
- Alert on TCP 9899 outbound connections
- Most fake domains were registered in a single day, suggesting coordinated campaigns
4. Fortinet FortiClient EMS Critical SQL Injection — Active Exploitation Begins
⚠ CRITICAL — Enterprise Endpoint Management at Risk
A critical SQL injection vulnerability in Fortinet FortiClient EMS allows unauthenticated attackers to execute arbitrary code remotely via crafted HTTP requests. Exploitation in the wild has been confirmed.
Exploitation of a critical-severity SQL injection flaw in Fortinet FortiClient Enterprise Management Server (EMS) has begun in the wild. The vulnerability allows unauthenticated remote attackers to execute arbitrary code via specially crafted HTTP requests targeting the management console.
Impact Assessment
FortiClient EMS is widely deployed across enterprises for centralized endpoint management, patch deployment, and security policy enforcement. A successful exploit gives attackers:
- Remote code execution on the EMS server
- Access to managed endpoint configurations and credentials
- Potential to push malicious policies to all managed FortiClient endpoints
- Lateral movement capability across the entire managed fleet
Immediate Actions
- Apply Fortinet security updates immediately
- Restrict network access to EMS management interfaces
- Monitor EMS logs for unusual SQL patterns and HTTP requests
- Review managed endpoint configurations for unauthorized changes
- Consider temporary network isolation of EMS servers until patched
5. Dutch Finance Ministry Expands Breach Response — Treasury Portal Offline
🔶 HIGH — Government Digital Infrastructure Disrupted
The Dutch Finance Ministry has taken its treasury banking portal and multiple systems offline, affecting ~1,600 public institutions' ability to access treasury accounts online.
The Dutch Ministry of Finance has significantly expanded its breach response, taking the digital treasury banking portal offline along with multiple other systems after the March 19 cyberattack. Minister of Finance Eelco Heinen disclosed in a statement to the Dutch House of Representatives that the shutdown affects approximately 1,600 public institutions.
Cascading Impact
- ~1,600 public institutions cannot view treasury account balances online
- Loan applications, deposits, credit requests, and report generation suspended
- Affected entities include ministries, government agencies, educational organizations, social funds, and local governments
- Incoming and outgoing payments continue via regular banking channels
- Manual minimum service levels maintained for essential processes
Investigation Status
The Dutch National Cyber Security Center (NCSC) is assisting the investigation. No threat actor or cybercrime group has claimed responsibility. The ministry initially disclosed the breach last week, stating tax collection and citizen-facing services were unaffected, but today's expanded shutdown reveals the incident's impact is broader than initially communicated.
Threat Landscape Summary
| Threat | Severity | Action Required |
|---|---|---|
| Axios npm supply chain RAT | CRITICAL | Downgrade to 1.14.0/0.30.3, rotate all secrets |
| Citrix NetScaler CVE-2026-3055 | CRITICAL | Patch SAML IDP appliances by April 2 |
| Silver Fox AtlasCross RAT | HIGH | Block typosquatted domains, monitor TCP 9899 |
| Fortinet FortiClient EMS SQLi | CRITICAL | Patch EMS, restrict management interface access |
| Dutch Finance Ministry breach | HIGH | Dutch partners: verify shared infrastructure exposure |
Stay Ahead of the Threat Curve
Daily intelligence briefings, real-world attack analysis, and actionable defensive guidance.
Explore KENSAI— KENSAI Security Intelligence · Published March 31, 2026