Hackers Compromise Axios npm Package to Deliver Malware
Basically, hackers broke into a popular software package to spread harmful programs to many computers.
Hackers have compromised the Axios npm package, delivering malware to countless systems. This attack may affect millions of users. Immediate action is needed to secure environments.
What Happened
Hackers have successfully compromised the npm account of the Axios package, a widely used JavaScript HTTP client with over 100 million weekly downloads. This breach allowed them to publish two malicious versions of the package, axios@1.14.1 and axios@0.30.4, within a short time frame. The malicious versions were published without proper verification, raising alarms about the security of package management systems.
The threat actor gained access to the Axios package by hijacking the account of Jason Saayman, the main maintainer. During the nearly three-hour exposure window, it remains unclear how many downstream projects may have been affected. Given the popularity of Axios, the number could be substantial.
How It Works
Once the attackers gained access, they injected a malicious dependency called plain-crypto-js@^4.2.1 into the package.json file. This dependency executes a post-install script that launches an obfuscated dropper (setup.js). The dropper contacts a command-and-control (C2) server to retrieve a payload tailored to the detected operating system.
For Windows, the malware uses a combination of VBScript and PowerShell to run hidden scripts. On macOS, it employs AppleScript to execute malicious binaries, while on Linux, it fetches a Python-based payload. In all cases, the malware allows attackers to maintain control over infected systems, executing commands and retrieving sensitive information.
Who's Being Targeted
The Axios npm package is widely utilized in JavaScript applications, making its users prime targets for this attack. The malicious payloads were designed to infect Linux, Windows, and macOS systems, showcasing the attackers' intention to reach a broad audience. With 400 million monthly downloads, the potential impact is significant, affecting countless developers and organizations that rely on Axios for their applications.
The attackers' strategy appears to be well-planned, with the malicious dependency staged 18 hours before the actual attack. This indicates a level of sophistication that raises concerns about the security of software supply chains.
What You Should Do
If you're using Axios, it is crucial to take immediate action. Users are advised to revert to the last known clean versions, axios@1.14.0 and axios@0.30.3. If you suspect your environment may have been compromised, rotate all credentials and rebuild from a known good state.
Moreover, this incident highlights the importance of vigilance in software supply chain security. Regularly auditing dependencies and monitoring for unusual activity can help mitigate the risks associated with such attacks. Stay informed about security updates and best practices to protect your systems from similar threats.