Supply Chain Compromise Affects Well-Known Axios npm Package with 100 Million Downloads
We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!
Quick Overview
- A widely-used JavaScript library, Axios, with more than 100 million downloads weekly, was breached in a supply chain attack.
- The assault targeted npm’s Axios library to spread a remote access trojan across various systems.
- The harmful version, plain-crypto-js@4.2.1, was released following the establishment of a deceptive sense of security with a legitimate version.
- Developers are recommended to revert to axios@1.14.0 or axios@0.30.3.
- Indicators of compromise consist of network connections to sfrclak.com and certain file paths on macOS, Windows, and Linux.
- The incident is connected to an advanced persistent threat (APT) entity concentrating on data collection and credential theft.
Investigating the Axios Supply Chain Incident
The popular JavaScript library Axios has faced a supply chain breach impacting over 100 million downloads each week. The attack aimed at Windows, Linux, and macOS platforms, introducing a remote access trojan (RAT) via harmful dependencies.
Analyzing the Axios Attack
The breach involved the compromise of the npm account held by Axios’ main maintainer, Jason Saayman. By switching the registered email to a ProtonMail address, the attacker manually uploaded harmful packages, circumventing the GitHub Actions continuous integration system.
Phases of the Breach
The intruder initially launched a non-malicious version, plain-crypto-js@4.2.0, to create a credible npm publishing record. The malicious iteration, plain-crypto-js@4.2.1, was then released, designed to evade security scans.
Steps for Developers to Take Immediately
Those utilizing Axios should promptly revert to either axios@1.14.0 or axios@0.30.3. Analyzing network logs for connections to sfrclak.com and specific file paths may assist in detecting possible compromises.
Takeaways from the Open Source Malware Community
The Open Source Malware community characterized Axios as one of the most utilized JavaScript libraries worldwide. They emphasized the attack’s complexity, utilizing obfuscation and anti-analysis tactics to implement RAT features across platforms.
Conclusion
This prominent supply chain attack on the Axios npm package highlights the weaknesses in prevalent software dependencies. The attack’s complexity and emphasis on data collection imply participation from an advanced persistent threat actor, rather than financially-driven cybercriminals.
Q: What is Axios?
A: Axios is a widely-used HTTP client library for JavaScript, heavily employed in web development to perform HTTP requests.
Q: How was the Axios package compromised?
A: The breach involved a malicious entity taking control of the npm account of the package’s maintainer, releasing a harmful dependency that introduced a remote access trojan.
Q: What actions should developers take to safeguard their projects?
A: Developers should revert to secure versions of Axios (axios@1.14.0 or axios@0.30.3) and scrutinize network logs for unusual activity.
Q: What are the signs of a compromised system?
A: Signs include network connections to sfrclak.com and particular file paths on macOS, Windows, and Linux platforms.
Q: Who is believed to be responsible for the attack?
A: The attack is thought to be orchestrated by an advanced persistent threat actor, prioritizing intelligence gathering over financial incentives.
