axios compromised on npm: maintainer account hijacked, RAT deployed
Contents
Key takeaways
- The npm account of the lead axios maintainer was hijacked. Two malicious versions were published:
[email protected]
[email protected]
. npm has since removed both. - Anyone who installed either version before the takedown should assume their system is compromised. The malicious versions inject a dependency (
plain-crypto-js
) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux. - axios has ~100 million weekly downloads. This is one of the most impactful npm supply chain attacks on record.
- The malware self-destructs after execution, so post-infection inspection of
node_modules
will not reveal it. You need to check your logfiles.
Credit to the great coverage of this incident by:
- StepSecurity (https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan)
- Socket (https://socket.dev/blog/axios-npm-package-compromised)
How to check if you are affected by the axios attack
Option 1) Check manually
1. Check for malicious axios versions
Scans your installed packages and lock file for 1.14.1
or 0.30.4
.
npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"
grep -A1 '"axios"' package-lock.json | grep -E "1\.14\.1|0\.30\.4"
2. Check for the …
- The npm account of the lead axios maintainer was hijacked. Two malicious versions were published:
[email protected]
[email protected]
. npm has since removed both. - Anyone who installed either version before the takedown should assume their system is compromised. The malicious versions inject a dependency (
plain-crypto-js
) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux. - axios has ~100 million weekly downloads. This is one of the most impactful npm supply chain attacks on record.
- The malware self-destructs after execution, so post-infection inspection of
node_modules
will not reveal it. You need to check your logfiles.
Credit to the great coverage of this incident by:
- StepSecurity (https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan)
- Socket (https://socket.dev/blog/axios-npm-package-compromised)
How to check if you are affected by the axios attack
Option 1) Check manually
1. Check for malicious axios versions
Scans your installed packages and lock file for 1.14.1
or 0.30.4
.
npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"
grep -A1 '"axios"' package-lock.json | grep -E "1\.14\.1|0\.30\.4"
2. Check for the …
IoC
http://sfrclak.com:8000
http://sfrclak.com:8000/6202033
http://142.11.206.73
http://1.14.1|0.30.4
https://socket.dev/blog/axios-npm-package-compromised
https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh
http://sfrclak.com
https://app.aikido.dev
https://github.com/AikidoSec/safe-chain
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
2553649f2322049666871cea80a5d0d6adc700ca
07d889e2dadce6f3910dcbc253317d28ca61c766
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
http://sfrclak.com:8000/6202033
http://142.11.206.73
http://1.14.1|0.30.4
https://socket.dev/blog/axios-npm-package-compromised
https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh
http://sfrclak.com
https://app.aikido.dev
https://github.com/AikidoSec/safe-chain
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
2553649f2322049666871cea80a5d0d6adc700ca
07d889e2dadce6f3910dcbc253317d28ca61c766
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a