Axios npm Account Hijacked - RAT Malware Spread Alert
Basically, hackers took control of a popular software account to spread harmful programs.
Hackers hijacked the Axios npm account to spread RAT malware. With millions of downloads, many systems are at risk. Developers should check their projects for compromised packages.
What Happened
In a significant supply chain attack, threat actors compromised the npm account of Axios, a popular JavaScript library with over 100 million weekly downloads. They published malicious package updates that spread remote access trojans (RATs) across various operating systems, including Linux, Windows, and macOS. The attack was identified by security firms soon after the rogue updates appeared on the npm registry, raising immediate alarms.
The attackers published two malicious versions of Axios (1.14.1 and 0.30.4) within an hour, bypassing OIDC verification and failing to match any legitimate GitHub commits. This lack of verification allowed them to inject a dependency called plain-crypto-js, which deployed the RAT across multiple platforms. Security experts believe the maintainer, Jason Saayman, had his npm account compromised, leading to this dangerous situation.
Who's Being Targeted
Given Axios's extensive usage, the impact of this attack is potentially vast. With approximately 400 million monthly downloads, many downstream projects could have been exposed during the attack window. Researchers from Socket reported that a malicious package named [email protected] was detected shortly after its publication, indicating a coordinated effort to target Axios.
The compromised versions allowed malware to spread through a trusted library, affecting numerous developers who rely on automatic updates. This incident highlights how a single poisoned dependency can quickly propagate through the software ecosystem, especially in environments with automated build processes.
Signs of Infection
The malicious code was designed to remain hidden. It employed obfuscation techniques to avoid detection and executed automatically during installation via a post-install script. Once the malware was running, it checked the operating system and downloaded a tailored second-stage payload for each platform. For macOS users, this payload was a fully functional RAT capable of gathering system information and executing commands remotely.
Even after execution, the malware attempted to cover its tracks by deleting installation files and restoring the package content to appear normal. This stealthy behavior makes it challenging for users to identify if their systems have been compromised, as traces may still linger even after files are removed.
How to Protect Yourself
To determine if you're affected by this attack, verify if your project includes the malicious Axios versions (1.14.1 or 0.30.4) or the hidden plain-crypto-js package. Users should check for leftover files or RAT artifacts on their systems. Automated tools like Aikido can help scan dependencies to quickly detect any compromised packages.
Both Socket and Aikido have provided Indicators of Compromise (IOCs) for this attack, which can assist security teams in identifying and mitigating the risks associated with this incident. Given the scale of Axios's usage, immediate action is crucial to prevent further exploitation of vulnerable systems.