CP
cyberpings
Malware & RansomwareHIGH

Axios Supply Chain Attack - Malicious npm Dependency Injected

Featured image for Axios Supply Chain Attack - Malicious npm Dependency Injected
THThe Hacker News
AxiosnpmRATplain-crypto-jssupply chain attack
🎯

Basically, hackers tricked Axios into including a harmful program in its software updates.

Quick Summary

A supply chain attack on Axios led to a malicious npm dependency being injected. Users are at risk of a RAT compromising their systems. Immediate action is required to secure environments.

What Happened

A significant supply chain attack has targeted the widely used HTTP client, Axios. Two recent versions of the npm package, specifically versions 1.14.1 and 0.30.4, were compromised. Attackers injected a malicious dependency called plain-crypto-js version 4.2.1 into these updates. This attack was executed using the compromised npm account of the primary maintainer, allowing the attackers to bypass security measures in the project's CI/CD pipeline.

The malicious dependency serves a singular purpose: it executes a postinstall script that acts as a cross-platform remote access trojan (RAT) dropper. This dropper is designed to target multiple operating systems, including macOS, Windows, and Linux. According to security researchers, the attackers meticulously planned this breach, staging the malicious dependency 18 hours in advance.

Who's Affected

With over 83 million weekly downloads, Axios is a critical component of many JavaScript applications across various frameworks and services. Users who have installed the compromised versions are at risk of having their systems infiltrated by the RAT. The attack’s impact is widespread, affecting developers and organizations that rely on Axios for their HTTP client needs.

Those using versions 1.14.1 or 0.30.4 must take immediate action to secure their systems. The attackers not only targeted Axios but also aimed to compromise user credentials and secrets, posing a significant risk to data integrity and security.

What Data Was Exposed

While no direct data breach has been reported, the malware's capabilities allow it to execute commands, retrieve sensitive information, and potentially compromise user credentials. The RAT can run shell commands, enumerate the file system, and communicate with a command-and-control server for further instructions. This means that any sensitive data on affected systems could be at risk, making it crucial for users to act swiftly.

The malicious versions of Axios and the plain-crypto-js package are no longer available for download, but users must still verify if they have been affected. The malware's design includes self-destruct mechanisms to evade detection, complicating forensic investigations.

What You Should Do

If you are using Axios versions 1.14.1 or 0.30.4, take the following actions immediately:

  • Downgrade to safe versions: 1.14.0 or 0.30.3.
  • Check for the presence of malicious files associated with the RAT on your system:
    • macOS: /Library/Caches/com.apple.act.mond
    • Windows: %PROGRAMDATA%\wt.exe
    • Linux: /tmp/ld.py
  • Remove the plain-crypto-js package from your node_modules directory.
  • Rotate any credentials that may have been compromised.
  • Audit your CI/CD pipelines for any installations of the affected versions.
  • Block egress traffic to the command-and-control domain identified in the attack.

By taking these steps, you can help mitigate the risks associated with this supply chain attack and protect your systems from further compromise.

🔒 Pro insight: The precision of this attack highlights the need for enhanced security measures in package management systems to prevent similar incidents.

Original article from

THThe Hacker News
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

GhostSocks - New Malware Turns Devices Into Proxies

GhostSocks malware is turning compromised devices into residential proxies for cybercriminals. This stealthy tactic poses serious risks for users and organizations alike. Security teams must act swiftly to mitigate potential threats.

Cyber Security News·
HIGHMalware & Ransomware

AI-Powered DeepLoad Malware Steals Credentials and Evades Detection

A new malware called DeepLoad is stealing credentials using AI. This sophisticated threat can evade detection, putting many users at risk. Stay vigilant and secure your accounts.

Dark Reading·
HIGHMalware & Ransomware

RoadK1ll WebSocket Implant - New Malware Enables Network Pivoting

A new malware named RoadK1ll is enabling attackers to pivot within breached networks. This stealthy implant uses WebSocket connections to extend control over compromised systems. Organizations must enhance their defenses to mitigate this growing threat.

BleepingComputer·
HIGHMalware & Ransomware

BlankGrabber Malware - Stealthy Attacks on Windows Systems

BlankGrabber malware is stealthily compromising Windows systems, targeting saved credentials and applications. This poses serious risks to users' data and privacy. Stay vigilant and protect your devices.

SC Media·
HIGHMalware & Ransomware

China-Linked Groups Target Southeast Asian Government with Malware

In 2025, China-linked groups executed a sophisticated malware attack on a Southeast Asian government. This campaign used multiple malware families, posing serious risks to national security. The advanced tactics employed highlight the growing threat of cyber espionage. Organizations must strengthen defenses against such well-coordinated efforts.

Security Affairs·
HIGHMalware & Ransomware

DeepLoad - AI-Powered Credential-Stealing Malware Discovered

DeepLoad is a new malware that uses AI to steal credentials from enterprise systems. This poses serious risks as it can evade traditional security measures. Organizations must adapt their defenses to counteract these advanced threats.

CyberScoop·