Supply Chain Attack Hits 300 Million-Download Axios npm Package

A major software supply chain attack has compromised the widely used JavaScript library Axios, a popular HTTP client used by developers worldwide. Security researchers report that the attack may have affected systems connected to a package with over 300 million weekly downloads, making the impact of the attack extremely large.

Axios is distributed through the Node Package Manager (npm) and is used in a large number of web applications and backend systems. Because of its widespread use, the compromise created what security experts call a “huge blast radius”, meaning a very large number of developers and systems could potentially be affected.

According to security researchers, the attack began when the npm account of Axios’s primary maintainer, Jason Saayman, was compromised. The attacker changed the account’s registered email to an anonymous ProtonMail address and locked the original maintainer out of the account. The attacker then manually published malicious packages using the npm command-line interface. By doing this, the attacker was able to bypass the project’s normal GitHub Actions continuous integration (CI) pipeline, which is typically used to verify and publish safe releases.

The attack was carefully planned and executed in stages over approximately 18 hours. First, the attacker published a clean and legitimate version of a dependency called plain-crypto-js@4.2.0. This version contained no malicious code and was uploaded to create a publishing history and build trust, making the account appear legitimate and less likely to be flagged by automated security systems.

After this decoy version, the attacker published a second version, plain-crypto-js@4.2.1, which contained the malicious code. This malicious version was designed to download and install a Remote Access Trojan (RAT) on systems running Windows, Linux, and macOS. The malware allowed attackers to gain remote control over infected systems.

Security researchers identified several indicators of compromise. These include suspicious outbound network connections to the command-and-control (C2) server sfrclak.com or the IP address 142.11.206.73. Researchers also identified suspicious files created by the malware on different operating systems:

• macOS: /Library/Caches/com.apple.act.mond
• Windows: %PROGRAMDATA%\wt.exe
• Linux: /tmp/ld.py

Developers and organizations using Axios were advised to immediately update and pin to safe versions such as axios@1.14.0 or axios@0.30.3 to prevent automatic installation of compromised packages.

The Open Source Malware community described this incident as one of the most significant software supply chain attacks ever, due to the massive number of downloads and the sophisticated nature of the malware. The malicious code included obfuscation techniques, anti-analysis mechanisms, and multi-platform support, indicating a highly advanced attack.

Interestingly, researchers noted that the malware did not include cryptocurrency miners or ransomware, which are common in financially motivated attacks. Instead, the malware focused on system reconnaissance, file collection, credential harvesting, and monitoring processes, particularly targeting sensitive directories such as .ssh and .aws. This behavior suggests that the attack may have been carried out by an Advanced Persistent Threat (APT) group focused on intelligence gathering rather than immediate financial gain.

This incident highlights the growing risk of software supply chain attacks, where attackers compromise trusted software packages to distribute malware to a large number of users. It also shows the importance of securing developer accounts, using multi-factor authentication, monitoring dependencies, and verifying software updates before installing them.

The Axios supply chain attack serves as a warning to developers and organizations around the world that even trusted open-source packages can become attack vectors if security practices are not properly followed.