GHSA-3hfp-gqgh-xc5g: Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions
Summary
A supply chain attack compromised the axios npm package (versions 1.14.1 and 0.30.4) by injecting a malicious dependency that installs a RAT (remote access trojan, malware giving attackers shell access and command execution). The @lightdash/cli package could resolve to these compromised axios versions during installation, potentially affecting users who installed @lightdash/cli versions 0.1800.0 through 0.2695.0 without a lockfile (a file that pins exact dependency versions) during the roughly 3-hour window the malicious versions were available on npm.
Solution / Mitigation
Upgrade @lightdash/cli immediately to version 0.2695.1, which pins axios to the safe version 1.14.0, using: `npm install -g @lightdash/cli@0.2695.1`. If unable to upgrade immediately, force install the safe axios version with `npm install -g axios@1.14.0 --force`. For Docker images or lockfile-based setups, verify axios is not version 1.14.1 or 0.30.4 by running `npm ls axios`. Additionally, block network traffic to the attacker's command-and-control servers (`sfrclak[.]com` and `142.11.206.73:8000`) at the network level. If compromise is suspected, check for RAT artifacts (macOS: `/Library/Caches/com.apple.act.mond`, Windows: `%PROGRAMDATA%\wt.exe`, Linux: `/tmp/ld.py`), and if found, rotate all credentials and secrets.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-3hfp-gqgh-xc5g
First tracked: April 2, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%