Supply Chain Attack Targets Axios Library with Remote Access Trojan
A recent supply chain attack on the Axios JavaScript library has been documented by Unit 42, revealing significant impacts across multiple sectors. The attack resulted from the hijacking of an Axios maintainer’s npm account, which led to the distribution of malicious updates (versions v1.14.1 and v0.30.4) that included a hidden dependency, plain-crypto-js, a remote access Trojan affecting all major operating systems.
The malicious dependency was injected into the package.json file without altering any original source code. When developers ran npm install axios, the npm package manager automatically installed this dependency, triggering a post-installation script that executed a heavily obfuscated Node.js dropper script. This script operates covertly, composed of layers of encoding and various malware components tailored to each operating system, designed for reconnaissance and persistence while also having self-destruction capabilities.
The impacted sectors span across various domains, including business services, financial services, high tech, and higher education, reflecting that the threat is widespread globally in regions such as the U.S., Europe, and Australia.
Defensive Context
Organizations deploying JavaScript, particularly using Axios, need to be vigilant, especially those in technology-sensitive environments. This attack demonstrates the risks inherent in software supply chains and the criticality of securing them. Developers should prioritize safeguarding their npm environments and thoroughly audit dependencies within their projects.
Why This Matters
The attack illustrates a grave risk of supply chain vulnerabilities and highlights that any organization relying on third-party packages may be exposed. The potential operational disruption and the high chance of sensitive data compromise necessitate immediate action from developers and system administrators who utilize the Axios library.
Defender Considerations
Organizations utilizing vulnerable Axios versions should urgently assess project directories for compromised packages and ensure that appropriate malware scans are conducted. The presence of artifacts (e.g., /Library/Caches/com.apple.act.mond for macOS) serves as indicators for malicious activity, necessitating immediate isolation of compromised systems.
Indicators of Compromise (IOCs)
– Malicious versions: Axios v1.14.1 and v0.30.4
– Malicious dependency: [email protected]
– C2 server: sfrclak[.]com:8000
– IP address: 142.11.206[.]73
– Artifacts:
– macOS: /Library/Caches/com.apple.act.mond
– Windows: %PROGRAMDATA%\wt.exe
– Linux: /tmp/ld.py
The implications of this event underline the necessity for heightened surveillance, proactive monitoring, and resilient response plans in developer environments to prevent similar incidents in the future.
