CP
cyberpings
Malware & RansomwareHIGH

Axios Supply Chain Attack - Malicious Packages Discovered

Featured image for Axios Supply Chain Attack - Malicious Packages Discovered
MWMalwarebytes Labs
axiosnpmRemote Access Trojanmalicious packages
🎯

Basically, a hacker tricked developers into downloading bad software that can take control of their computers.

Quick Summary

A supply chain attack on Axios has led to malicious npm packages being distributed. Developers may have unknowingly installed a Remote Access Trojan. It's crucial to assess and secure your development environments to prevent exploitation.

What Happened

In a significant supply chain attack, researchers discovered that compromised versions of the Axios package on npm were distributing a Remote Access Trojan (RAT). The attacker exploited the credentials of a lead maintainer to publish malicious packages: axios@1.14.1 and axios@0.30.4. These versions, which can be found in many JavaScript projects, were downloaded millions of times, affecting a vast number of developers and applications.

The malicious packages introduced a new dependency called plain-crypto-js@4.2.1, which is not referenced in the original Axios source code. This means that developers who installed these versions could have inadvertently exposed sensitive information, including cloud keys and API tokens, to potential attackers. The RAT payload was designed to operate on multiple platforms, including macOS, Windows, and Linux, making it a versatile threat.

Who's Affected

The impact of this attack is extensive. Axios is widely used in modern web applications, including those built with popular frameworks like React, Vue, and Angular. Even if you haven't directly installed Axios, you might be using applications that depend on it. The compromised versions reached an alarming 100 million weekly downloads, indicating a broad attack surface across various web apps and services.

Developers who downloaded the affected versions should treat their environments as potentially compromised. This includes any machine that executed an npm install with the malicious packages. While end-users of applications built with Axios may not face immediate risks, developers must be vigilant about their development environments and security practices.

Signs of Infection

One of the alarming aspects of this attack is that the malware dropper cleans up after itself. Post-infection, inspecting the node_modules/plain-crypto-js/package.json will show no signs of compromise. This makes detection challenging, as tools like npm audit will not reveal the malicious activity. Researchers identified several Indicators of Compromise (IOCs) that developers should be aware of:

  • Domain: sfrclak[.]com
  • IP Address: 142.11.206.73
  • Files:
    • macOS: /Library/Caches/com.apple.act.mond
    • Linux: /tmp/ld.py
    • Windows: %PROGRAMDATA%\wt and %TEMP%\6202033.vbs/.ps1

How to Protect Yourself

If you are a developer who has installed the compromised versions of Axios, it is crucial to take immediate action. Treat any affected machine as fully compromised and rotate all secrets, including API keys and tokens. Ensure that you review your project dependencies and remove any malicious packages.

For those using applications built with Axios, there is no direct threat unless you are also involved in the development process. However, it is always wise to stay informed about the dependencies in your applications. Regularly update your packages and monitor for any unusual activities in your development environment. By maintaining good security hygiene, you can mitigate risks associated with such supply chain attacks.

🔒 Pro insight: This incident underscores the vulnerabilities in open-source supply chains; developers must implement stricter package verification to mitigate similar threats.

Original article from

MWMalwarebytes Labs
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Axios Supply Chain Compromise - Cross-Platform RAT Detected

A major supply chain attack compromised the axios npm package, delivering a cross-platform RAT. Millions of users are at risk. Developers must update to secure versions immediately.

Elastic Security Labs·
HIGHMalware & Ransomware

Hacker Hijacks Axios Open-Source Project to Deliver Malware

A hacker has compromised the Axios open-source library, injecting malware that could impact millions of developers. This supply chain attack raises serious security concerns. Users should take immediate action to secure their systems.

TechCrunch Security·
HIGHMalware & Ransomware

Malware - Dissecting a Multi-Tool Mining Operation

A new malware operation deploys RATs and cryptominers through fake installers. Users are at risk of financial loss and data theft. Stay informed and protect your devices.

Elastic Security Labs·
HIGHMalware & Ransomware

Venom Stealer - Continuous Credential Harvesting Threatens Users

Venom Stealer is a new malware that continuously steals credentials and cryptocurrency. Its advanced tactics pose a serious risk to users. Understanding its methods is vital for safeguarding sensitive data.

SecurityWeek·
HIGHMalware & Ransomware

WhatsApp Malware - Campaign Delivers VBS Payloads and MSI Backdoors

A new malware campaign exploits WhatsApp to deliver harmful VBS scripts. This attack targets users and organizations, compromising systems and maintaining access. Stay vigilant and protect your devices.

Microsoft Security Blog·
HIGHMalware & Ransomware

Ransomware - New Service Promises to Monetize Stolen Data

A new service called Leak Bazaar aims to monetize stolen data from ransomware attacks. This could lead to increased threats and exploitation of personal data. Experts are watching closely as this model unfolds.

The Record·