Application security, DevSecOps, Identity, Critical Infrastructure Security, Supply chain, Malware, Threat Intelligence

Axios npm supply chain attack: Malicious updates add remote access trojan

The axios npm package was compromised late Monday night when malicious updates added a remote access trojan (RAT) to the widely used HTTP client library.

Axios is one of the most popular packages on npm, with about 100 million weekly downloads and more than 174,000 dependents. The massive supply chain attack was discovered by StepSecurity and reported to axios’ maintainers by StepSecurity Co-Founder and CTO Ashish Kurmi at 8 p.m. PDT.

The malicious updates, [email protected] and [email protected], were published manually through the npm account of axios’ primary maintainer Jason Saayman and the account’s registered email address was changed to ifstap@proton[.]me, indicating a likely compromise of Saayman’s credentials.

The updates added the malicious dependency [email protected], which is never imported in the source code but serves to add a postinstall script that triggers the installation of the RAT backdoor.

The plain-crypto-js dependency was pre-staged on npm about 18 hours before the malicious axios updates were published, and the postinstall hook “node setup.js” was added just a minute before the updates were pushed.

The setup.js dropper employs two layers of string obfuscation, including reversed base64 and a XOR cipher, and retrieves additional payloads from the command and control (C2) path http://sfrclak[.]com:800/6202033.

Windows, macOS and Linux machines targeted

The dropper follows separate attack paths depending on the victim’s operating system, with separate payloads for Windows, macOS and Linux operating systems, all establishing a backdoor to the same C2 server.

On Windows, the script runs “where powershell” to locate the PowerShell binary path, then copies it to %PROGRAMDATA%/wt.exe, disguising it as the Windows Terminal. It then writes and executes a VBScript in the temp directory, retrieving a PowerShell RAT and saving it to %TEMP%\6202033.ps1.

The RAT deletes itself after execution and VBScript is also deleted, leaving only %PROGRAMDATA%/wt.exe as an artifact, StepSecurity noted.

The macOS version writes an AppleScript file to the temp directory and then executes it, downloading the macOS RAT binary and saving it to /Library/Caches/com.apple.act.mond. The RAT is then launched in the background via /bin/zsh, while the AppleScript that downloaded it is deleted after execution.

On Linux machines, a direct shell command is executed via Node.js’ execSync, retrieving a Python RAT script and saving it to /tmp/ld.py. The RAT is then executed in the background.

Additional anti-forensic cleanup includes the deletion of setup.js from the package directory, the deletion of package.json, which contains the postinstall hook, and the renaming of package.md to package.json, replacing the malicious version with a pre-staged “clean” version, StepSecurity said.

“Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct. This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package,” Kurmi wrote.

How to tell if you were affected

Following Kurmi’s report, another axios maintainer, Dmitriy Mozgovoy, contacted the npm administration for assistance. Mozgovoy noted his inability to revoke access from Saayman’s compromised account due to its admin status, saying, “Whatever I fix, he will ‘fix’ it after me.”

By 8:30 p.m. PDT, about half an hour after the initial report, npm had removed the malicious dependency plain-crypto-js, both malicious axios versions and the compromised npm tokens, Mozgovoy reported.

However, anyone who installed the malicious versions may still be compromised. As StepSecurity noted, “axios is the most popular HTTP client library in the JavaScript ecosystem. It is used in virtually every Node.js and browser application that makes HTTP requests […] a compromise of even a single minor release has an enormous potential blast radius.”

To determine whether one’s environment may have been affected, they should first check for the malicious axios versions 1.14.1 and 0.30.4 in their projects and check for plain-crypto-js in node_modules, StepSecurity advised. CI/CD pipeline logs should also be revewied for any npm install executions for the malicious versions.

Systems should also be checked for the artifacts %PROGRAMDATA%/wt.exe on Windows machines, /Library/Caches/com.apple.act.mond on macOS machines and /tmp/ld.py on Linux machines.

If any signs of RAT execution are discovered, systems should be treated as fully compromised and rebuilt from a known-good state, StepSecurity said. All credentials and secrets stored on the machine or injected into affected CI/CD workflows should be rotated, and C2 traffic to the domain sfrclak[.]com and IP 142[.]11[.]206[.]73 should be blocked, StepSecurity added.

You can skip this ad in 5 seconds