StepSecurity's Harden Runner detected that recent CI workflow runs in this repository executed a compromised version of the axios npm package that communicates with a known command-and-control (C2) domain.
What happened
Multiple versions of the axios npm package (v1.14.1 and v0.30.4) were compromised and published to npm. These versions contain a remote access trojan (RAT) that connects to the C2 domain sfrclak.com. For full details, see our blog post: Axios Compromised on NPM: Malicious Versions Drop Remote Access Trojan
Affected workflow runs
Harden Runner detected outbound network connections to the C2 domain sfrclak.com in the following workflow runs of .github/workflows/ci.yaml:
How to verify
For each workflow run linked above, go to the StepSecurity Insights page and search for sfrclak.com in the network events to see where the C2 domain was contacted.
Recommended actions
- Rotate any credentials — If the affected workflow runs had access to secrets or credentials (API keys, tokens, deployment keys, etc.), rotate them immediately. The RAT may have exfiltrated sensitive data.
How this was detected
StepSecurity Harden Runner monitors network traffic from GitHub Actions workflow runs in real-time.
We are proactively reaching out to affected repositories to help mitigate the impact.
StepSecurity's Harden Runner detected that recent CI workflow runs in this repository executed a compromised version of the axios npm package that communicates with a known command-and-control (C2) domain.
What happened
Multiple versions of the
axiosnpm package (v1.14.1 and v0.30.4) were compromised and published to npm. These versions contain a remote access trojan (RAT) that connects to the C2 domainsfrclak.com. For full details, see our blog post: Axios Compromised on NPM: Malicious Versions Drop Remote Access TrojanAffected workflow runs
Harden Runner detected outbound network connections to the C2 domain
sfrclak.comin the following workflow runs of.github/workflows/ci.yaml:How to verify
For each workflow run linked above, go to the StepSecurity Insights page and search for
sfrclak.comin the network events to see where the C2 domain was contacted.Recommended actions
How this was detected
StepSecurity Harden Runner monitors network traffic from GitHub Actions workflow runs in real-time.
We are proactively reaching out to affected repositories to help mitigate the impact.