Axios npm Package Compromised in Supply Chain Attack Using Malicious Dependency Injection
Overview
A major software supply chain incident has emerged after attackers compromised the widely used axios npm package, injecting malicious code through a stealthy dependency attack. The breach affects versions 1.14.1 and 0.30.4, exposing thousands of applications that automatically installed the infected updates.
How the Attack Happened
The attackers appear to have gained access to a maintainer account and published malicious versions of axios directly to npm. Instead of modifying the core library, they introduced a single but critical change, adding a new dependency named plain-crypto-js, which contained hidden malicious code.
This subtle modification allowed the attack to bypass traditional code reviews, as no actual axios source files were altered. The malicious package executed automatically during installation via a postinstall script, requiring no user interaction.
Malware Functionality and Execution
The injected dependency included an obfuscated payload that contacted a remote command-and-control (C2) server to download a second-stage malware. The attack primarily targeted Windows and Linux systems, while the macOS variant appeared incomplete.
On Windows, the malware copied and renamed PowerShell binaries to evade detection, while on Linux systems, it downloaded and executed a Python-based payload from a temporary directory. The malware also removed traces of itself after execution by deleting installation scripts and restoring clean package files, making detection more difficult.
Indicators of Compromise
Security analysis revealed multiple indicators, including suspicious files such as /tmp/ld.py on Linux and %PROGRAMDATA%\wt.exe on Windows systems. The malicious packages were distributed through compromised publisher accounts using unfamiliar email addresses, signaling account takeover activity.
Scale and Impact
Axios is one of the most widely used JavaScript libraries, with millions of weekly downloads. Due to npm’s versioning system, projects using version ranges automatically installed the malicious updates, significantly amplifying the attack’s reach.
| Package | Affected version | Last known safe version | Notes |
|---|---|---|---|
| axios | 1.14.1 | 1.14.0 | Compromised current 1.x branch |
| axios | 0.30.4 | 0.30.3 | Compromised legacy 0.x branch |
| plain-crypto-js | 4.2.0 | N/A | Malicious dependency package |
| plain-crypto-js | 4.2.1 | N/A | Malicious dependency package |
Why This Attack Is Critical
This incident highlights a growing trend in software supply chain attacks, dependency injection. By targeting trusted packages and introducing malicious dependencies, attackers can infect vast numbers of systems without directly altering the original codebase.
Mitigation and Recommendations
Developers are advised to immediately downgrade to safe versions such as 1.14.0 or 0.30.3, audit systems for suspicious files, and rotate credentials on potentially compromised machines. Monitoring unusual installation behaviors and enforcing strict dependency controls can help reduce future risks.
Conclusion
The axios compromise underscores the fragility of modern software supply chains. As attackers refine stealthy techniques like dependency injection, organizations must strengthen package verification processes and adopt proactive security measures to prevent similar large-scale compromises.
No Comment! Be the first one.