SECURITY: NPM Axios http Supply Chain Attack RAT

Axios Supply Chain Attack from Hacker News¹

As reported by Hacker News, the http client AXIOS encountered a supply chain attack from compromised npm credentials of "jasonsaayman", the primary Axios maintainer.¹

Versions 1.14.1 and 0.30.4 of Axios have been found to inject "plain-crypto-js" version 4.2.1 as a fake dependency.

According to StepSecurity, the two versions were published using the compromised npm credentials of the primary Axios maintainer ("jasonsaayman"), allowing the attackers to bypass the project's GitHub Actions CI/CD pipeline.

"Its sole purpose is to execute a postinstall script that acts as a cross-platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux," security researcher Ashish Kurmi said. "The dropper contacts a live command and control server and delivers platform-specific second-stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection."¹

For more information for the patch, visit Axiox's official website and github². To read more about an earlier npm cybersecurity issue visit an earlier blog post on, "Shai-Hulud" affected NPM packages are installed (LINUX: BASH SCRIPT)"³.

REFERENCES

1. Hacker News: Axious Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account ↩ ↩² ↩³

2. Axios official website ↩

3. Read an earlier blog post "Shai-Hulud" affected NPM packages are installed (LINUX: BASH SCRIPT) ↩