The popular HTTP client Axios recently fell victim to a sophisticated supply chain attack after compromised maintainer credentials were used to publish malicious versions 1.14.1 and 0.30.4. These versions injected a trojanized dependency that targets Windows, macOS, and Linux systems, necessitating an immediate downgrade to safe versions and a rotation of all sensitive credentials.
The Axios ecosystem was recently compromised when an attacker gained control of a primary maintainer's npm account. By bypassing standard GitHub Actions CI/CD pipelines through the use of a long-lived access token, the threat actor published two poisoned versions of the package. These updates introduced a malicious dependency called plain-crypto-js, which was specifically designed to execute a cross-platform remote access trojan on any machine that installed the library.
Security researchers noted that the attack was highly coordinated rather than opportunistic, with the malicious infrastructure being staged nearly a day before the breach. The malware utilized an obfuscated Node.js dropper that identified the host's operating system to deliver a tailored secondary payload. On macOS, the system utilized AppleScript to fetch a binary; on Windows, it disguised itself as the Windows Terminal; and on Linux, it deployed a Python-based script to establish a connection with a command and control server.
The sophisticated nature of the malware included several features intended to evade forensic detection and remain persistent until its mission was complete. Once the second-stage payload was successfully delivered and executed in the background, the dropper would delete its temporary files and overwrite its own package metadata with a clean version. This self-destruct mechanism was designed to leave as little evidence as possible for security teams or automated scanners to find after the initial infection.
Given that Axios serves over 83 million weekly downloads, the reach of this supply chain attack is significant, impacting frontend frameworks and enterprise backend services alike. The attacker even managed to change the registered email of the compromised account to a private Proton Mail address to maintain control during the operation. Although the malicious versions have been pulled from the npm registry, the window of exposure was wide enough to put a vast number of development environments and production servers at risk.
Impacted users are urged to take immediate action to secure their infrastructure by auditing their dependency trees and ensuring they are using Axios versions 1.14.0 or 0.30.3. Because the remote access trojan was designed to exfiltrate data, simply removing the package is insufficient. Security professionals recommend a complete rotation of all secrets, API keys, and environment variables that were present on any system where the malicious versions were installed or executed.
Source: