The Poisoned Pipeline: Axios Supply Chain Attack
Contents
tl;dr
- Axios Supply Chain: Between 30-31 March 2026, a lead maintainer’s account was compromised to publish trojanized versions (1.14.1 and 0.30.4), introducing a dependency that deploys a multi-stage Remote Access Trojan (RAT).
- The Malware: The RAT targets Windows, macOS, and Linux, and can reside in memory to evade detection. Attacker-controlled accounts and supporting C2 infrastructure were created less than 24 hours before the attack, indicating deliberate pre-positioning and coordinated execution.
- Immediate Action: Block known C2 infrastructure, rotate all cloud and CI/CD secrets exposed to affected environments, and downgrade the package to a known safe version (1.40.0).
- The Bigger Picture: While Axios is the latest supply chain victim, the TeamPCP campaign since March 19 is targeting tools such as Trivy and KICS. These two attacks represent a systemic shift in supply chain risk, where the weaponization of trusted libraries and security tools has evolved into persistent access at scale.
Introduction
In the last …
- Axios Supply Chain: Between 30-31 March 2026, a lead maintainer’s account was compromised to publish trojanized versions (1.14.1 and 0.30.4), introducing a dependency that deploys a multi-stage Remote Access Trojan (RAT).
- The Malware: The RAT targets Windows, macOS, and Linux, and can reside in memory to evade detection. Attacker-controlled accounts and supporting C2 infrastructure were created less than 24 hours before the attack, indicating deliberate pre-positioning and coordinated execution.
- Immediate Action: Block known C2 infrastructure, rotate all cloud and CI/CD secrets exposed to affected environments, and downgrade the package to a known safe version (1.40.0).
- The Bigger Picture: While Axios is the latest supply chain victim, the TeamPCP campaign since March 19 is targeting tools such as Trivy and KICS. These two attacks represent a systemic shift in supply chain risk, where the weaponization of trusted libraries and security tools has evolved into persistent access at scale.
Introduction
In the last …
IoC
https://www.invictus-ir.com/24-7
http://callnrwise.com
http://23.254.167.216
http://sfrclak.com
http://proton.me
23.254.167.216
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
http://callnrwise.com
http://23.254.167.216
http://sfrclak.com
http://proton.me
23.254.167.216
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]