Compromised NPM Package Axios: Emerging Threat published on Risk Ledger

Summary

Compromised versions of axios (1.14.1 and 0.30.4 ), a widely used JavaScript package were published to NPM. The affected versions inject the malicious dependancy plain-crypto-js@4.2.1 . This deployed a cross-platform remote access trojan (RAT) which allows attackers to remotely execute code on affected Windows, MacOS, and Linux devices and take full control of the system.

Threat Description

This should be a more detailed description of the threat, it should include:

• When the threat was first discovered at 00:05:41 UTC on March 31, 6 minutes after the malicious package was published.
• The npm account of the lead axios maintainer was hijacked and the malicious packages we’re pushed directly to npm outside of the usual release process.
• Two malicious versions were published: axios@1.14.1 and axios@0.30.4. npm has since removed both.
• The malware self-destructs after execution. Post-infection inspection of node-modules will not reveal whether you were infected, only checking log files will.
• Fully automated build and deploy pipelines have since spread the malicious package into other packages such as qqbrowser/openclaw-qbot@0.0.130 .
  ‍

Applicability

This threat affects any organisation who installed axios@1.14.1 , axios@0.30.4 after 23:59 UTC on March 30th before the takedown or any organisation that installed  plain-crypto-js@4.2.1 after 04:00 UTC on March 30th before the takedown.
‍

Relevance to the supply chain

It is important to understand the extend to which your supply chain is affected by this threat as it affects a widely used JavaScript package, which has the ability to completely takeover any Windows, MacOS, or Linux system on which is executes. This could lead to lateral movements and subsequent breaches between organisation and across your supply chain ecosystem.
‍

What should you do about it

1. Scan your installed packages and lock files for axios@1.14.1 ,  axios@0.30.4 or plain-crypto-js@4.2.1
2. Check feature branches and open PRs for these versions
3. Check log files for indicators of compromise (IOCs)
   3.1. Malicious axios versions and dependencies:
   • axios@1.14.1 (shasum: 2553649f2322049666871cea80a5d0d6adc700ca)
   • axios@0.30.4 (shasum: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71)
   • plain-crypto-js@4.2.1 (shasum: 07d889e2dadce6f3910dcbc253317d28ca61c766)
   3.2. Network:
   • C2 domain: sfrclak[.]com
   • C2 IP: 142.11.206.73
   • C2 URL: http://sfrclak[.]com:8000/6202033
   • POST body (macOS): packages[.]npm[.]org/product0
   • POST body (Windows): packages[.]npm[.]org/product1
   • POST body (Linux): packages[.]npm[.]org/product2
   3.3. File system:
   • /Library/Caches/com.apple.act.mond — macOS payload
   • %PROGRAMDATA%\\wt.exe — renamed copy of powershell.exe (Windows)
   • %TEMP%\\6202033.vbs — VBScript launcher (Windows, self-deletes)
   • %TEMP%\\6202033.ps1 — PowerShell payload (Windows, self-deletes)
   • /tmp/ld.py — Python payload (Linux)
   • $TMPDIR/6202033 — temp file (all platforms)
4. Malicious axios versions and dependencies:
5. If IOC artefacts are detected, assume compromise, initiate your incident response processes, and rotate all credentials on the system.
6. Understand to what extent your suppliers or partners are affected.
7. Support your suppliers through actions 1-4.
   ‍

Where to find more information

“This is an evolving situation. You can keep up to date with the latest information on this threat by reading the following:

https://socket.dev/blog/axios-npm-package-compromised

Socket identified the malicious package initially and are monitoring it’s subsequent spread through the software supply chain.

To understand how your supply chain is affected by the axios NPM package compromise, create your free account on Risk Ledger. You can find out more about how the Emerging Threats feature on Risk Ledger works here.

‍