CP
cyberpings
Threat IntelHIGH

Supply Chain Attack - Axios npm Package Compromised

Featured image for Supply Chain Attack - Axios npm Package Compromised
TETenable Blog
Axiosnpmsupply chain attackmalicious codeplain-crypto-js
🎯

Basically, hackers added bad code to a popular software package, putting users' data at risk.

Quick Summary

A major supply chain attack has compromised the Axios npm package, risking user data theft. If you've downloaded versions 1.14.1 or 0.30.4, immediate action is necessary. Protect your credentials and API keys now.

What Happened

A significant supply chain attack has compromised the Axios npm package, a widely-used library with over 100 million weekly downloads. Attackers hijacked a maintainer's account and uploaded malicious versions of Axios, specifically versions 1.14.1 and 0.30.4. These versions contain a hidden dependency called plain-crypto-js, which executes a remote access trojan (RAT) during installation. This method of attack is alarming due to its potential for widespread damage, as it can infiltrate any environment that downloaded these compromised versions.

The attack was executed through npm's postinstall lifecycle hook, which allows code to run automatically when the package is installed. This technique is becoming increasingly common among malicious actors, making it crucial for organizations to remain vigilant and proactive in their security measures.

Who's Affected

Any organization or developer that downloaded the compromised versions of Axios is at risk. This includes a vast array of users, from individual developers to large enterprises, all of whom may have unwittingly installed these malicious packages. The implications are severe, as compromised systems could lead to the theft of sensitive data, including API keys and user credentials.

Organizations must act quickly to assess whether they are using these specific versions of Axios. The presence of the malicious package indicates a confirmed security breach, necessitating immediate action to mitigate potential damage.

What Data Was Exposed

The malicious versions of Axios expose users to severe data theft risks. Once installed, the RAT can access sensitive information stored on the host system. This includes:

  • Credentials: Usernames and passwords can be harvested.
  • API Keys: Critical for accessing various services, their theft can lead to unauthorized access.
  • Personal Data: Any other sensitive information stored on the compromised system is also at risk.

Given the rapid pace at which attackers can exploit these vulnerabilities, organizations must assume that any system with the compromised Axios versions is fully compromised.

What You Should Do

If you suspect that your environment has been affected, immediate action is critical. Here are the steps you should take:

  1. Quarantine Affected Hosts: Isolate any systems that may have downloaded the malicious versions of Axios.
  2. Implement Incident Response Playbooks: Activate your organization's incident response plan to address the breach.
  3. Rotate Exposed Secrets: Change all exposed credentials and API keys to prevent unauthorized access.
  4. Scan Your Environment: Use security tools to detect the presence of the malicious packages and remove them.

Additionally, organizations should strengthen their security posture by implementing measures such as minimum package age policies, dependency pinning, and regular audits of lockfiles. These proactive steps can help mitigate the risks of future supply chain attacks.

🔒 Pro insight: The Axios incident underscores the urgent need for enhanced security protocols in open-source package management to prevent future supply chain attacks.

Original article from

TETenable Blog· Ron Popov
Read Full Article

Share

Related Pings

HIGHThreat Intel

Iranian Hackers Threaten U.S. Water Systems with Attacks

Iranian hackers threaten U.S. water systems, raising alarms about infrastructure security. CISA calls for urgent fixes to critical vulnerabilities. The risks are significant, and immediate action is needed.

CyberWire Daily·
HIGHThreat Intel

US Reissues $10M Bounty on Iranian Hackers Amid Breach

The U.S. has reissued a $10 million bounty for information on Iranian hackers Handala and Parsian Afzar Rayan Borna. This comes after a confirmed breach involving sensitive data. The ongoing threat from these groups is significant, prompting this urgent call for information.

SC Media·
HIGHThreat Intel

North Korean Group Behind Axios Supply Chain Attack

A major supply chain attack on axios has been linked to North Korean hackers. This incident could impact countless organizations using the popular library. Experts warn of the growing threat to software security.

The Record·
HIGHThreat Intel

Russian CTRL Toolkit - Illicit LNK Files Distribute Malware

Malicious LNK files are being used to deploy the Russian CTRL toolkit, which facilitates credential phishing and keylogging. This sophisticated method poses a serious risk to users. Stay informed to protect your data from these evolving threats.

SC Media·
HIGHThreat Intel

Iran Targets M365 Accounts with Password-Spraying Attacks

Iran-linked hackers are targeting Microsoft 365 accounts with password-spraying attacks. Over 300 organizations in Israel and the UAE are impacted. This raises significant security concerns as attackers aim to steal sensitive information.

The Register Security·
HIGHThreat Intel

Dutch Ministry of Finance - Portal Offline After Cyberattack

A cyberattack has forced the Dutch Ministry of Finance to take its treasury portal offline. Around 1,600 public entities are impacted, facing restricted access to essential functions. This incident highlights the vulnerabilities in critical infrastructure security and the need for robust cybersecurity measures.

SC Media·