HN
Today

Axios Compromised on NPM – Malicious Versions Drop Remote Access Trojan

A critical supply chain attack compromised the widely-used axios npm package, injecting a sophisticated, cross-platform Remote Access Trojan via hijacked maintainer credentials. The attackers employed multi-stage obfuscation and self-deletion to meticulously hide their tracks. This incident provides a masterclass in modern dependency compromise, captivating HN's security-minded audience with its technical depth and far-reaching implications.

20
Score
2
Comments
#1
Highest Rank
17h
on Front Page
First Seen
Mar 31, 3:00 AM
Last Seen
Mar 31, 7:00 PM
Rank Over Time
311111111111132315

The Lowdown

The axios HTTP client library, a cornerstone of countless JavaScript applications, recently suffered a sophisticated supply chain compromise on npm. Malicious versions axios@1.14.1 and axios@0.30.4 were published using compromised credentials of a lead maintainer, bypassing standard CI/CD pipelines to distribute a stealthy remote access trojan.

  • Attack Vector: The attacker hijacked a maintainer's npm account, changed its associated email to a ProtonMail address, and manually published the poisoned packages.
  • Malware Delivery: The malicious versions introduced a fake, never-imported dependency called plain-crypto-js@4.2.1. This package's postinstall script served as a dropper for a cross-platform Remote Access Trojan (RAT).
  • Evasion Techniques: The RAT dropper utilized two-layer obfuscation for its setup.js script. Critically, after execution, the malware self-deleted its components and replaced its own package.json with a clean decoy (package.md) to thwart forensic analysis.
  • Staging & Stealth: The malicious plain-crypto-js package was pre-staged on npm hours before the axios compromise to appear legitimate and avoid