Malware - Axios npm Supply Chain Attack Unleashes RAT
Basically, bad updates to a popular software package let hackers control computers.
A major supply chain attack on the Axios npm package has introduced a remote access trojan. Millions of users are at risk, prompting urgent security measures. Check your systems for malicious updates and take immediate action.
What Happened
Late Monday night, the axios npm package was compromised, leading to the introduction of a remote access trojan (RAT). Axios is a widely used HTTP client library, boasting around 100 million weekly downloads. The malicious updates, specifically versions 1.14.1 and 0.30.4, were published through the npm account of axios’ primary maintainer, Jason Saayman, whose credentials were likely compromised. This incident highlights the vulnerabilities inherent in software supply chains.
The malicious dependency, plain-crypto-js, was added via a postinstall script that triggered the installation of the RAT backdoor. This attack was discovered by StepSecurity and reported promptly, but the implications are severe given the library's extensive use across various applications.
Who's Being Targeted
The attack targets users of the axios library across multiple platforms, including Windows, macOS, and Linux. The RAT executes differently depending on the operating system, establishing a backdoor to a command and control (C2) server. The scale of this attack is alarming, as axios is a critical component in many Node.js and browser applications, making the potential impact vast.
The compromised updates were designed to self-destruct, leaving little trace behind. This operational sophistication makes it one of the most concerning supply chain attacks documented to date.
Signs of Infection
To determine if your system has been affected, check for the malicious axios versions in your projects. Specifically, look for plain-crypto-js in your node_modules directory. Additionally, inspect your CI/CD pipeline logs for any npm install executions related to the malicious versions.
For Windows users, look for the artifact located at %PROGRAMDATA%/wt.exe. macOS users should check /Library/Caches/com.apple.act.mond, while Linux users need to verify /tmp/ld.py. If any of these artifacts are found, your system may be compromised.
How to Protect Yourself
If you suspect your system has been affected, treat it as fully compromised. Rebuild from a known-good state and rotate any credentials or secrets stored on the machine. It's crucial to block any traffic to the C2 domain sfrclak.com and the associated IP address.
As a preventive measure, always monitor your dependencies for updates and vulnerabilities. Regularly audit your software supply chain to mitigate risks associated with similar attacks in the future. This incident serves as a stark reminder of the importance of securing software supply chains and maintaining vigilance in application security.