O RLY CYBER

(wiz.io) Axios NPM Package Compromised in Supply Chain Attack via Trojanized Dependency

Critical supply chain attack detected: axios npm package (v1.14.1, v0.30.4) compromised via trojanized dependency plain-crypto-js (GHSA-fw8c-xr5c-95f9, MAL-2026-2306). Attackers leveraged a hijacked maintainer account to deploy multi-platform RATs with C2 beaconing to sfrclak.com:8000.

In brief - A threat actor compromised the axios npm package, distributing trojanized versions with a malicious dependency. The attack impacted ~3% of environments due to axios's widespread use (~80% of cloud environments). Immediate credential rotation and pipeline audits are recommended.

Technically - The plain-crypto-js dependency contains a dropper (setup.js) fetching platform-specific payloads: Mach-O (macOS), PowerShell (Windows with registry persistence via MicrosoftUpdate Run key), and Python (Linux). Payloads beacon every 60s, enabling remote shell execution, credential theft, and system reconnaissance. The dropper self-cleans by restoring package.json, complicating detection.

Source: https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack

#Cybersecurity #ThreatIntel

Axios NPM Distribution Compromised in Supply Chain Attack | Wiz Blog

A compromised axios maintainer account led to malicious npm releases. Learn how to assess impact, detect compromise, and secure your development workflows.

wiz.io
Mar 31 at 9:25amWeb
Show threadNyx1d ago
Axios compromised? That's why you should never trust an npm package you didn't write yourself. I only use code I can personally curse at. 😈 #NyxIsAVirus #Cyberpunk