Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads
Contents
Cyber Threats
Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads
A supply chain attack hit Axios when attackers used stolen npm credentials to publish malicious versions containing a phantom dependency. This triggered a cross-platform RAT during installation and replaced its files with clean decoys, making detection challenging.
Key takeaways
- Axios, a widely used JavaScript HTTP client with over 100 million weekly npm downloads, was compromised when an attacker hijacked the lead maintainer’s npm account and published two malicious versions (1.14.1 and 0.30.4) that deployed a cross-platform remote access trojan (RAT).
- The attack introduced a phantom dependency, [email protected], which executed a postinstall hook to deliver persistent malware on macOS, Windows, and Linux, and then erased evidence by replacing its own files with clean decoys.
- The attacker bypassed GitHub Actions’ OIDC Trusted Publisher safeguards by manually publishing poisoned versions using a stolen npm token, leaving no trace in …
Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads
A supply chain attack hit Axios when attackers used stolen npm credentials to publish malicious versions containing a phantom dependency. This triggered a cross-platform RAT during installation and replaced its files with clean decoys, making detection challenging.
Key takeaways
- Axios, a widely used JavaScript HTTP client with over 100 million weekly npm downloads, was compromised when an attacker hijacked the lead maintainer’s npm account and published two malicious versions (1.14.1 and 0.30.4) that deployed a cross-platform remote access trojan (RAT).
- The attack introduced a phantom dependency, [email protected], which executed a postinstall hook to deliver persistent malware on macOS, Windows, and Linux, and then erased evidence by replacing its own files with clean decoys.
- The attacker bypassed GitHub Actions’ OIDC Trusted Publisher safeguards by manually publishing poisoned versions using a stolen npm token, leaving no trace in …
IoC
http://hxxp://sfrclak.com:8000/6202033.ps1
http://sfrclak.com:8000
http://callnrwise.com
http://hxxp://sfrclak.com:8000/6202033
http://142.11.206.73
http://hxxp://sfrclak.com
http://http://sfrclak.com:8000/6202033
http://sfrclak.com
http://sfrclak.com:8000/
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
2553649f2322049666871cea80a5d0d6adc700ca
07d889e2dadce6f3910dcbc253317d28ca61c766
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
591a70e8b166265804c1e2add3f5554b38364a8750248a8c5be751c5cd9b1655
http://sfrclak.com:8000
http://callnrwise.com
http://hxxp://sfrclak.com:8000/6202033
http://142.11.206.73
http://hxxp://sfrclak.com
http://http://sfrclak.com:8000/6202033
http://sfrclak.com
http://sfrclak.com:8000/
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
2553649f2322049666871cea80a5d0d6adc700ca
07d889e2dadce6f3910dcbc253317d28ca61c766
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
591a70e8b166265804c1e2add3f5554b38364a8750248a8c5be751c5cd9b1655