Widespread Impact of the Axios Supply Chain Attack
Contents
Executive Summary
Unit 42 researchers have observed widespread impact from the significant supply chain attack targeting the Axios JavaScript library. The attack occurred after an Axios maintainer's npm account was hijacked, leading to the release of malicious updates (versions v1.14.1 and v0.30.4).
These compromised versions introduced a hidden dependency called plain-crypto-js. This dependency is a cross-platform remote access Trojan (RAT) capable of affecting Windows, macOS and Linux systems. The malware was designed to perform reconnaissance and establish persistence, with an added feature to self-destruct for evasion.
Axios is a popular, promise-based HTTP client library for JavaScript, used to make API requests in browsers and Node.js. It features automatic JSON data transformation, request/response interception and request cancellation, making it a standard tool for connecting frontend apps to backend services.
Analysis of malware that the attackers used overlaps with operations previously reported to involve the Democratic People’s Republic of Korea (DPRK).
This campaign has affected the following …
Unit 42 researchers have observed widespread impact from the significant supply chain attack targeting the Axios JavaScript library. The attack occurred after an Axios maintainer's npm account was hijacked, leading to the release of malicious updates (versions v1.14.1 and v0.30.4).
These compromised versions introduced a hidden dependency called plain-crypto-js. This dependency is a cross-platform remote access Trojan (RAT) capable of affecting Windows, macOS and Linux systems. The malware was designed to perform reconnaissance and establish persistence, with an added feature to self-destruct for evasion.
Axios is a popular, promise-based HTTP client library for JavaScript, used to make API requests in browsers and Node.js. It features automatic JSON data transformation, request/response interception and request cancellation, making it a standard tool for connecting frontend apps to backend services.
Analysis of malware that the attackers used overlaps with operations previously reported to involve the Democratic People’s Republic of Korea (DPRK).
This campaign has affected the following …
IoC
http://packages.npm.org/product0
http://sfrclak.com:8000
http://callnrwise.com
http://sfrclak.com:8000/6202033
http://packages.npm.org/product1
http://142.11.206.73
http://library\/caches\/com.apple.act.mond|\/tmp\/ld.py|c:\\programdata\\wt.exe|appdata\\local\\temp\\6202033.(?:ps1|vbs
http://sfrclak.com
http://bsfrclak.com\b
http://packages.npm.org/product2
142.11.206.73
[email protected]
20df0909a3a0ef26d74ae139763a380e49f77207aa1108d4640d8b6f14cab8ca
8449341ddc3f7fcc2547639e21e704400ca6a8a6841ae74e57c04445b1276a10
59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f
cdc05cd30eb53315dadb081a7b942bb876f0d252d20e8ed4d2f36be79ee691fa
a98e04dec3a7fe507eb30c72da808bad60bc14d9d80f9770ec99c438faa85a1a
58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668
7b47ed28e84437aee64ffe9770d315c1b984135105f7f608a8b9579517bc0695
9c64f1c7eba080b4e5ff17369ddcd00b9fe2d47dacdc61444b4cbfebb23a166c
4465bdeaddc8c049a67a3d5ec105b2f07dae72fa080166e51b8f487516eb8d07
e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff
a224dd73b7ed33e0bf6a2ea340c8f8859dfa9ec5736afa8baea6225bf066b248
5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd
ad8ba560ae5c4af4758bc68cc6dcf43bae0e0bbf9da680a8dc60a9ef78e22ff7
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
5e2ab672c3f98f21925bd26d9a9bba036b67d84fde0dfdbe2cf9b85b170cab71
506690fcbd10fbe6f2b85b49a1fffa9d984c376c25ef6b73f764f670e932cab4
0d83030ab8bfba675fc1661f0756b6770be7dd80b1b718de3d68a01f2e79a5f4
01c9484abc948daa525516464785009d1e7a63ffd6012b9e85b56477acc3e624
526ab39d1f56732e4e926715aaa797feb13b1ae86882ec570a4d292e7fdc3699
5b5fbc627502c5797d97b206b6dcf537889e6bea6d4e81a835e103e311690e22
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
http://sfrclak.com:8000
http://callnrwise.com
http://sfrclak.com:8000/6202033
http://packages.npm.org/product1
http://142.11.206.73
http://library\/caches\/com.apple.act.mond|\/tmp\/ld.py|c:\\programdata\\wt.exe|appdata\\local\\temp\\6202033.(?:ps1|vbs
http://sfrclak.com
http://bsfrclak.com\b
http://packages.npm.org/product2
142.11.206.73
[email protected]
20df0909a3a0ef26d74ae139763a380e49f77207aa1108d4640d8b6f14cab8ca
8449341ddc3f7fcc2547639e21e704400ca6a8a6841ae74e57c04445b1276a10
59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f
cdc05cd30eb53315dadb081a7b942bb876f0d252d20e8ed4d2f36be79ee691fa
a98e04dec3a7fe507eb30c72da808bad60bc14d9d80f9770ec99c438faa85a1a
58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668
7b47ed28e84437aee64ffe9770d315c1b984135105f7f608a8b9579517bc0695
9c64f1c7eba080b4e5ff17369ddcd00b9fe2d47dacdc61444b4cbfebb23a166c
4465bdeaddc8c049a67a3d5ec105b2f07dae72fa080166e51b8f487516eb8d07
e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff
a224dd73b7ed33e0bf6a2ea340c8f8859dfa9ec5736afa8baea6225bf066b248
5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd
ad8ba560ae5c4af4758bc68cc6dcf43bae0e0bbf9da680a8dc60a9ef78e22ff7
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
5e2ab672c3f98f21925bd26d9a9bba036b67d84fde0dfdbe2cf9b85b170cab71
506690fcbd10fbe6f2b85b49a1fffa9d984c376c25ef6b73f764f670e932cab4
0d83030ab8bfba675fc1661f0756b6770be7dd80b1b718de3d68a01f2e79a5f4
01c9484abc948daa525516464785009d1e7a63ffd6012b9e85b56477acc3e624
526ab39d1f56732e4e926715aaa797feb13b1ae86882ec570a4d292e7fdc3699
5b5fbc627502c5797d97b206b6dcf537889e6bea6d4e81a835e103e311690e22
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a