CP
cyberpings
Threat IntelHIGH

Axios Trojans - Major npm Supply Chain Attack Uncovered

Featured image for Axios Trojans - Major npm Supply Chain Attack Uncovered
CSCSO Online+1 more
AxiosnpmUNC1069TeamPCPremote access trojanCyberattacksSupply Chain SecurityRemote Access TrojanJavaScript Libraries
🎯

Hackers broke into the account of the person who manages Axios, a popular tool used by many apps, and uploaded fake versions that could let them control users' computers. This is a big deal because so many apps rely on Axios, and it shows how quickly problems can spread in software.

Quick Summary

The Axios npm library was compromised in a major supply chain attack, affecting millions of applications. Organizations are urged to audit their dependencies and enhance security measures.

Attackers compromised the npm account of the lead maintainer of Axios, a widely used JavaScript HTTP client library, and used it to publish malicious versions of the package that deployed a cross-platform remote access trojan on developer machines. The incident represents the highest-impact npm supply chain attack on record, given Axios’ approximately 100 million weekly downloads and its presence in frontend frameworks, backend services, and countless enterprise applications. The malicious versions, axios@1.14.1 and axios@0.30.4, were detected by multiple security companies monitoring the npm registry within minutes of publication, triggering a rapid response that saw the malicious packages removed by the npm team within two to three hours. However, the short time window was enough to impact a significant number of developer environments. According to cloud security firm Wiz, Axios is used in 80% of cloud and code environments; the company observed execution of the malware in roughly 3% of impacted environments. The attack's significance is amplified by the fact that Axios is often included as a transitive dependency across millions of applications, meaning that even systems that did not directly install Axios could be indirectly impacted if another package depended on the compromised versions. This highlights the broader downstream risk across modern JavaScript ecosystems. The Google Threat Intelligence Group (GTIG) attributed the Axios attack to a North Korean threat actor known as UNC1069, known for their experience with supply chain attacks. "North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency," said John Hultquist, chief analyst with GTIG. The attack follows a series of supply chain attacks that impacted multiple open-source projects across different package repositories over the past several weeks, most of them attributed to a group known as TeamPCP. Researchers from security firm Snyk noted the sophistication of techniques involved in the attack, including pre-staging the malicious dependency and implementing anti-forensic self-deletion. The incident underscores the need for organizations to audit their dependencies and implement stricter security measures in their CI/CD pipelines.

Organizations should immediately revert to known safe versions of Axios and consider implementing npm safeguards, such as enforcing a short quarantine on new package versions and limiting script execution in CI/CD pipelines. These measures can help mitigate risks from future supply chain attacks.

Original article from

CSCSO Online
Read Full Article

Also covered by

ARArctic Wolf Blog

Supply Chain Attack Impacts Widely Used Axios npm Package

Read Article

Share

Related Pings

HIGHThreat Intel

North Korea-Nexus Threat Actor Compromises Axios NPM Package

A North Korea-linked threat actor has compromised the axios NPM package. This attack affects millions of users and highlights serious supply chain vulnerabilities. Immediate action is required to secure affected systems.

Mandiant Threat Intel·
HIGHThreat Intel

macOS Feature - Prevents ClickFix Compromise Attacks

Apple's latest macOS feature helps prevent ClickFix attacks by alerting users before executing risky commands. This is vital for protecting user data from phishing threats. Stay safe and informed with this new security measure.

SC Media·
HIGHThreat Intel

Supply Chain Attack - Axios npm Package Compromised

A major supply chain attack has compromised the Axios npm package, affecting millions of applications. Users are at risk due to malicious versions published in a short time frame. Immediate action is needed to secure systems and prevent exploitation.

Arctic Wolf Blog·
HIGHThreat Intel

LiteLLM Supply Chain Compromise - TeamPCP's Attack Unveiled

The Threat The recent compromise of LiteLLM, a widely-used AI proxy package, has revealed a significant threat in the cybersecurity landscape. Orchestrated by the criminal group TeamPCP, this multi-ecosystem supply chain attack is one of the most sophisticated documented to date. The attack exploited vulnerabilities in developer tooling and targeted LiteLLM, which serves as a gateway to various LLM

Trend Micro Research·
HIGHThreat Intel

TeamPCP’s Supply Chain Attack - Weaponizing Security Tools

TeamPCP has launched a multi-stage supply chain attack on trusted security tools. This breach has exposed sensitive data from numerous organizations, raising serious security concerns. Organizations must act quickly to secure their infrastructures and protect against further exploitation.

Palo Alto Unit 42·
HIGHThreat Intel

Iran Threatens Major US Tech Firms with Attacks Starting April 1

Iran's IRGC has threatened to attack major US tech firms like Apple and Google starting April 1. This escalation could severely disrupt operations and impact global tech infrastructure. Companies are urged to prepare for potential cyberattacks and physical threats as tensions rise.

Wired Security·