Axios npm Malware Attack 2023: Developers Face New Risks

Malicious code was put into the popular Axios JavaScript library for 3 hours. This is a new risk for developers using npm.
By Newsroom | Technology, Cybersecurity |

A recent supply chain attack compromised the npm account of the maintainer for Axios, a widely used JavaScript library. Attackers injected malicious code into new versions of Axios, which were then distributed through the npm package registry. The tainted packages, [email protected] and [email protected], contained a transitive dependency, [email protected], which acted as a dropper for a cross-platform remote access trojan (RAT).

Politics Friday: 3 congressional candidates vying for their party's endorsement - MPR News - 1

The attackers gained access to the maintainer's account, reportedly without multi-factor authentication enabled, and published the compromised versions of Axios. These malicious updates remained live on the npm registry for approximately three hours. Any developer or automated system updating Axios during this window, or pulling any package with a flexible version dependency on Axios, could have inadvertently installed the malware.

Politics Friday: 3 congressional candidates vying for their party's endorsement - MPR News - 2

The injected malware, masquerading as a legitimate package, was designed to deliver a RAT to affected systems. The specific payload and its execution varied by operating system:

Read More: Helium shortage stops weather balloons in Canada and raises chip prices

Politics Friday: 3 congressional candidates vying for their party's endorsement - MPR News - 3

  • macOS: A native binary, identified as com.apple.act.mond, was dropped into /Library/Caches/.

  • Windows: A PowerShell script (wt.exe) or VBScript stager was deployed.

  • Linux: A Python script named ld.py was used.

The command and control (C2) infrastructure for the attack was traced to sfrclak[.]com on port 8000. Security researchers noted that the malicious code was injected via a modified package.json file, without altering the core Axios source files. The attackers also published a malicious version of the plain-crypto-js package itself, serving as the primary payload carrier.

Politics Friday: 3 congressional candidates vying for their party's endorsement - MPR News - 4

Background and Vulnerabilities

The compromise highlights critical vulnerabilities in software development workflows and package management security. The attackers exploited a time-dependent dependency resolution mechanism, meaning that systems fetching dependencies during the attack window were susceptible.

"Every npm install pulling the latest version is potentially compromised right now." - Feross Aboukhadijeh, Socket Security CEO

Key takeaways from the incident include:

  • Account Security: The compromise underscores the critical need for multi-factor authentication (MFA) on all developer accounts, especially those managing widely used packages.

  • Dependency Management: Reliance on flexible version ranges (like ^ or ~) in package.json files can lead to automatic fetching of compromised versions. Pinning dependencies to specific, safe versions ([email protected] for the 1.x branch and [email protected] for the 0.x branch) is a crucial mitigation step.

  • Supply Chain Visibility: Security teams are increasingly looking for signals like the absence of SLSA provenance attestations, which were present in legitimate Axios versions but missing from the compromised ones.

  • Automated Detection: Tools capable of scanning lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) and installed packages for specific malicious versions or dependencies are vital for rapid identification.

  • Mitigation Strategies: Beyond updating to safe versions, organizations are advised to consider using npm's overrides or resolutions in their configuration to prevent transitive resolution of the malicious dependency. Disabling script execution during npm install (npm config set ignore-scripts true) is also a recommended preventative measure.

Microsoft Security Intelligence has attributed the infrastructure and the Axios npm compromise to Sapphire Sleet, identified as a North Korean state actor. This incident serves as a stark reminder of the pervasive threats within the 'JavaScript supply chain', a complex web of dependencies that underpins a vast array of modern software applications.

Read More: FBI Declares Suspected China Cyberattack a Major Incident Affecting Investigations

Frequently Asked Questions

Q: What happened to the popular Axios npm library on October 25, 2023?
The npm account for Axios, a widely used JavaScript library, was taken over by attackers. They added bad code to new versions of Axios, which were then shared through the npm system.
Q: Which versions of Axios were affected by the malware attack on October 25, 2023?
The bad code was put into Axios versions [email protected] and [email protected]. These versions contained another bad package called [email protected].
Q: How did the attackers put malware into Axios on October 25, 2023?
Attackers got into the account of the person who manages Axios. They added bad code to a file called package.json. This file tells the system what code to use. The main Axios code was not changed.
Q: How can developers protect their projects from the Axios npm malware attack from October 25, 2023?
Developers should not use versions 1.14.1 or 0.30.4. They should use safe versions like [email protected] or [email protected]. It is also important to turn on extra security like multi-factor authentication for npm accounts.
Q: Who is blamed for the Axios npm malware attack on October 25, 2023?
Security experts think a group from North Korea called Sapphire Sleet did this attack. This shows how dangerous the system of code sharing can be for software.