CP
cyberpings
Malware & RansomwareHIGH

Axios Supply Chain Compromise - Cross-Platform RAT Detected

Featured image for Axios Supply Chain Compromise - Cross-Platform RAT Detected
ELElastic Security Labs
axiosnpmRemote Access Trojan
🎯

Basically, hackers used a trusted software package to secretly install malware on many computers.

Quick Summary

A major supply chain attack compromised the axios npm package, delivering a cross-platform RAT. Millions of users are at risk. Developers must update to secure versions immediately.

What Happened

On March 30, 2026, a significant supply chain compromise was detected involving the axios npm package, a widely used JavaScript library with approximately 100 million weekly downloads. The attacker gained unauthorized access to the maintainer account of jasonsaayman, publishing two malicious versions of the axios package. These versions, tagged as 1.14.1 and 0.30.4, contained a Remote Access Trojan (RAT) that could infect macOS, Windows, and Linux systems through a malicious postinstall hook.

The compromised versions were designed to automatically install a new dependency, plain-crypto-js, which executed a platform-specific RAT upon installation. This attack was particularly concerning due to the sheer number of users who could potentially download the backdoored package by default.

Who's Affected

The attack primarily affects developers and projects that utilize the axios package for HTTP requests. Given axios's popularity, the blast radius is extensive, impacting countless applications and services relying on this library. Users who installed either of the compromised versions unknowingly exposed their systems to the RAT, which could allow attackers to gain remote control.

The compromised maintainer account was pivotal in this attack, as it enabled the attacker to publish malicious updates that appeared legitimate to unsuspecting users. The incident serves as a stark reminder of the vulnerabilities present in widely-used open-source software.

What Data Was Exposed

The RAT deployed through the compromised axios package is capable of extensive data collection and system manipulation. It collects sensitive information such as:

  • Hostname and username
  • OS version and hardware model
  • Process lists and system profiles

Each platform variant of the RAT (Windows, macOS, and Linux) shares an identical command and control (C2) protocol, allowing attackers to issue commands and receive data from infected systems. This uniformity suggests a coordinated effort by the attackers to maximize their reach and effectiveness.

What You Should Do

If you are a developer using the axios package, it is crucial to check your dependencies and ensure you are using safe versions. The last legitimate versions are axios@1.14.0 and axios@0.30.3. You should:

  • Update your package dependencies immediately.
  • Monitor your systems for any suspicious activity.
  • Consider implementing additional security measures, such as using package integrity checks and automated dependency monitoring tools.

This incident underscores the importance of vigilance in software supply chains and the need for robust security practices when managing dependencies.

🔒 Pro insight: This incident highlights the critical need for enhanced security measures in npm package management to prevent future supply chain attacks.

Original article from

ELElastic Security Labs
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Hacker Hijacks Axios Open-Source Project to Deliver Malware

A hacker has compromised the Axios open-source library, injecting malware that could impact millions of developers. This supply chain attack raises serious security concerns. Users should take immediate action to secure their systems.

TechCrunch Security·
HIGHMalware & Ransomware

Malware - Dissecting a Multi-Tool Mining Operation

A new malware operation deploys RATs and cryptominers through fake installers. Users are at risk of financial loss and data theft. Stay informed and protect your devices.

Elastic Security Labs·
HIGHMalware & Ransomware

Axios Supply Chain Attack - Malicious Packages Discovered

A supply chain attack on Axios has led to malicious npm packages being distributed. Developers may have unknowingly installed a Remote Access Trojan. It's crucial to assess and secure your development environments to prevent exploitation.

Malwarebytes Labs·
HIGHMalware & Ransomware

Venom Stealer - Continuous Credential Harvesting Threatens Users

Venom Stealer is a new malware that continuously steals credentials and cryptocurrency. Its advanced tactics pose a serious risk to users. Understanding its methods is vital for safeguarding sensitive data.

SecurityWeek·
HIGHMalware & Ransomware

WhatsApp Malware - Campaign Delivers VBS Payloads and MSI Backdoors

A new malware campaign exploits WhatsApp to deliver harmful VBS scripts. This attack targets users and organizations, compromising systems and maintaining access. Stay vigilant and protect your devices.

Microsoft Security Blog·
HIGHMalware & Ransomware

Ransomware - New Service Promises to Monetize Stolen Data

A new service called Leak Bazaar aims to monetize stolen data from ransomware attacks. This could lead to increased threats and exploitation of personal data. Experts are watching closely as this model unfolds.

The Record·