npm - Major axios Package Backdoored to Deliver RAT
Basically, a popular coding tool was hacked to install secret malware on computers.
What Happened In a shocking supply chain attack, the popular npm package axios was compromised to deliver a remote access trojan (RAT). Attackers hijacked the maintainer's account and injected malicious code into two legitimate releases, specifically axios@1.14.1 and axios@0.30.4. This incident is considered one of the most impactful npm supply chain attacks to date, affecting a library that boasts
What Happened
In a shocking supply chain attack, the popular npm package axios was compromised to deliver a remote access trojan (RAT). Attackers hijacked the maintainer's account and injected malicious code into two legitimate releases, specifically axios@1.14.1 and axios@0.30.4. This incident is considered one of the most impactful npm supply chain attacks to date, affecting a library that boasts around 100 million downloads weekly.
The attackers did not alter axios's core code. Instead, they added a malicious dependency called plain-crypto-js@4.2.1, which acted solely as a delivery mechanism for the RAT. This dependency was published through the compromised account of the primary maintainer, who was reportedly locked out at the time. The malicious packages bypassed the project's usual security checks, raising serious concerns about npm's supply chain integrity.
Who's Affected
Developers who installed the compromised versions of axios are at risk. Given axios's extensive use in both front-end and back-end applications, the potential impact is vast. Many developers rely on axios for making HTTP requests, meaning that even a brief compromise could lead to widespread malware distribution across various development environments.
Security firm StepSecurity highlighted the sophistication of this attack, noting that the malicious dependency was staged 18 hours prior to release. This level of planning indicates that the attackers were not just opportunistic but had a clear strategy in mind. As a result, anyone who downloaded the affected versions must take immediate action to secure their systems.
Signs of Infection
The RAT introduced by the malicious dependency operates differently across various operating systems. On macOS, it disguises itself as a system daemon, while on Windows, it utilizes PowerShell. For Linux users, it falls back to a Python backdoor. The malware is designed to cover its tracks by deleting any evidence of its presence, making detection challenging.
If you've installed either version of axios, you should assume your system is compromised. Signs of infection may include unusual system behavior, unexpected network traffic, or unauthorized access to sensitive data. Developers are advised to be vigilant and monitor their systems closely for any suspicious activity.
How to Protect Yourself
If you are among the developers who installed the compromised axios versions, immediate action is crucial. Here are steps to take:
- Remove the affected packages from your projects.
- Rotate credentials for any accounts that may have been exposed.
- Rebuild machines if necessary, to ensure all traces of the malware are eliminated.
Given the widespread use of axios, the cleanup process may be extensive. The incident serves as a stark reminder of the vulnerabilities present in software supply chains and the importance of implementing robust security measures to protect against such sophisticated attacks. Developers should remain vigilant and ensure their tools and dependencies are secure to prevent future compromises.