Inside the Axios supply chain compromise - one RAT to rule them all
Contents
Elastic Security Labs released initial triage and detection rules for the Axios supply-chain compromise. This is a detailed analysis of the RAT and payloads.
Introduction
Elastic Security Labs identified a supply chain compromise of the axios npm package, one of the most depended-upon packages in the JavaScript ecosystem with approximately 100 million weekly downloads. The attacker compromised a maintainer account and published backdoored versions that delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems through a malicious postinstall hook.
Key takeaways
- A compromised npm maintainer account (jasonsaayman) was used to publish two malicious versions of the widely used Axios HTTP client — 1.14.1 (tagged latest) and 0.30.4 (tagged legacy) — meaning a default npm install axios resolved to a backdoored package
- The malicious JavaScript deploys platform-specific stage-2 implants for macOS, Windows, and Linux
- All three stage-2 payloads are implementations of the same RAT — identical C2 protocol, command set, beacon …
Introduction
Elastic Security Labs identified a supply chain compromise of the axios npm package, one of the most depended-upon packages in the JavaScript ecosystem with approximately 100 million weekly downloads. The attacker compromised a maintainer account and published backdoored versions that delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems through a malicious postinstall hook.
Key takeaways
- A compromised npm maintainer account (jasonsaayman) was used to publish two malicious versions of the widely used Axios HTTP client — 1.14.1 (tagged latest) and 0.30.4 (tagged legacy) — meaning a default npm install axios resolved to a backdoored package
- The malicious JavaScript deploys platform-specific stage-2 implants for macOS, Windows, and Linux
- All three stage-2 payloads are implementations of the same RAT — identical C2 protocol, command set, beacon …
IoC
http://sfrclak.com:8000
http://sfrclak.com:8000/6202033
http://142.11.206.73
http://gmail.com
http://sfrclak.com
http://proton.me
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
http://sfrclak.com:8000/6202033
http://142.11.206.73
http://gmail.com
http://sfrclak.com
http://proton.me
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a