A major software supply chain attack has targeted the popular Axios JavaScript library, after hackers hijacked the npm account of its primary maintainer to distribute malicious code to developers worldwide.
Axios, a popular HTTP client with over 100 million weekly downloads, was briefly compromised when attackers gained access to maintainer Jason Saayman’s npm account. Security firms Endor Labs, Socket, Aikido, and StepSecurity report that two malicious versions of the package (axios 1.14.1 and axios 0.30.4) were published within a short timeframe.
The compromised releases lacked standard security indicators, including OpenID Connect (OIDC) provenance and corresponding GitHub commits. The attackers inserted a malicious dependency called plain-crypto-js@^4.2.1 into the package configuration. The dependency executed a hidden post-install script that deployed an obfuscated dropper, which then contacted a command-and-control server to fetch platform-specific malware.
The attack targeted Windows, macOS, and Linux systems with tailored payloads. On Windows, it used a combination of VBScript and PowerShell to execute hidden commands and maintain persistence. On macOS, AppleScript was leveraged to download and run a background binary. Linux systems were infected a Python-based payload executed silently using nohup.
In all cases, the malware installed a remote access trojan (RAT), allowing attackers to execute commands, explore file systems, and maintain ongoing access. The malicious code also attempted to erase traces of infection by deleting itself and restoring altered files.
Researchers believe the attack was highly coordinated, noting that the malicious dependency had been staged nearly 18 hours prior to deployment.
At present, it’s unclear who is behind the breach. This month saw a series of supply-chain attacks, including the LiteLLM and Trivy compromise, linked to a threat actor tracked as TeamPCP, however, this incident doesn’t match the threat actor’s tactics.
Developers using Axios are strongly advised to revert to safe versions axios 1.14.0 or axios 0.30.3 and audit their systems for signs of compromise. If there are signs of infection, rotating credentials and rebuilding environments from trusted sources is recommended.
Update. Google has attributed the attack to the suspected financially-motivated North-Korean threat actor UNC1069 focused on crypto thefts, noting that it still analyses the incident.