postinstall hook that would execute a dropper script when it was pulled in by a different package as a dependency.Shortly after midnight UTC on March 31 a new version of the Axios package, axios@1.14.1, was published on npm followed by axios@0.30.4 39 minutes later. Both listed plain-crypto-js@4.2.1 as a dependency in their package.json files, but the rest of the components remained unchanged.A package that appears in the manifest but has zero usage or imports in the codebase is called a phantom dependency and is a high-confidence indicator of compromise, according to researchers at StepSecurity. Another indicator was that these versions appeared only on npm and not in the project’s GitHub repo as tagged releases.Axios’ legitimate 1.x releases were configured to use npm’s OIDC Trusted Publisher mechanism bound to GitHub Actions, but the 1.14.1 release was published manually via a stolen token with no corresponding commit or tag in the repository.In comments on GitHub, the project’s principal maintainer Jason Saayman acknowledged that while v1.x had trusted publishing configured, the v0.x branch still relied on a legacy long-lived token. A community member further pointed out that the v1.x publish workflow still passed NODE_AUTH_TOKEN to npm, which takes precedence over OIDC when both are present, meaning the long-lived token was also being used for v1.x rather than the intended trusted publishing mechanism.
Cross-platform malware: The obfuscated and encrypted postinstall script contacted a command-and-control (C2) server on a domain registered the day before by the attackers and downloaded platform-specific second-stage RAT payloads.On macOS, the binary is written to /Library/Caches/com.apple.act.mond and can self-sign injected payloads via codesign, force, deep, sign, bypassing macOS Gatekeeper protections. The malware fingerprints the system, collects hostname, username, macOS version, boot and install times, CPU architecture, and running processes, and then reaches out to the C2 server every 60 seconds.On Windows machines the payload is a PowerShell script copied to %PROGRAMDATA%\wt.exe, masquerading as Windows Terminal. The malware establishes persistence through a registry Run key named “MicrosoftUpdate” and a re-download batch file. Meanwhile Linux systems receive a Python script stored as /tmp/ld.py that gets executed via nohup python3.The RAT supports four commands: peinject for deploying additional binaries, runscript for executing shell or AppleScript code, rundir for directory enumeration, and kill for self-termination.According to researchers from security firm Socket, after execution the malware attempts to erase its tracks by deleting setup.js, removing the malicious package.json that contained the postinstall hook and replacing it with a clean copy that reports version 4.2.0 instead of 4.2.1. This means users running npm list in an affected project directory will see plain-crypto-js@4.2.0, potentially misleading them into believing the installed version predates the attack.
Detection and maintainer response: Security firms monitoring npm flagged plain-crypto-js@4.2.1 within minutes after it was published, triggering a series of responses, including by the npm registry team that removed the packages. However, the Axios project itself had difficulty containing the issue because the incident happened during the lead maintainer’s nighttime.A core collaborator of the project responded to the community-reported issue on GitHub also within minutes, but his permissions were lower than those of the maintainer whose token was compromised.This underscores a potential incident response gap open-source projects might face, because even if project contributors notice a breach immediately, the attacker could have higher privileges than them through a stolen token and could slow down attempts at damage control.In the recent Trivy compromise, attackers flooded the GitHub issue with spam comments from bots to make it harder for maintainers to respond and communicate with the community.
Prepare for more compromises: The cascade effect of the Axios incident became visible as dependency scanning tools flagged hundreds of downstream projects that had pulled the malicious versions. One user posted warnings to more than 50 repositories after detecting plain-crypto-js in their lockfiles, while another identified dozens more, from personal blogs to enterprise apps.This demonstrates how quickly the compromise of a popular npm package propagates through the ecosystem, even if the breach is detected within a few hours.Organizations should audit lockfiles and installed dependencies for the malicious versions immediately. If the malicious versions were installed, assume the development environments are fully compromised. Security teams should isolate affected systems, rotate all credentials present on them such as npm tokens, cloud provider keys, SSH private keys, CI/CD secrets, etc.”Do not rotate in place; revoke and reissue,” the Snyk researchers advised. “Do not attempt to clean compromised systems. Rebuild from a known-clean snapshot.”In the long term, organizations should enforce npm ci, ignore-scripts in CI/CD pipelines to prevent postinstall hooks from executing during automated builds and consider package age policies such as npm’s minimumReleaseAge setting. This gives development teams the ability to block the installation of packages that don’t have a minimum age, which would have blocked this attack since “plain-crypto-js” existed for less than 24 hours before being pulled into Axios’ dependency tree.The use of AI tools like Claude Code or OpenAI Codex in enterprise environments via their respective desktop apps extend the impact past developer environments. These tools are increasingly being used by non-developers in their work workflows, and LLMs tend to rely heavily on the npm and PyPI ecosystems for CLI tools.
Prepare for more compromises: The cascade effect of the Axios incident became visible as dependency scanning tools flagged hundreds of downstream projects that had pulled the malicious versions. One user posted warnings to more than 50 repositories after detecting plain-crypto-js in their lockfiles, while another identified dozens more, from personal blogs to enterprise apps.This demonstrates how quickly the compromise of a popular npm package propagates through the ecosystem, even if the breach is detected within a few hours.Organizations should audit lockfiles and installed dependencies for the malicious versions immediately. If the malicious versions were installed, assume the development environments are fully compromised. Security teams should isolate affected systems, rotate all credentials present on them such as npm tokens, cloud provider keys, SSH private keys, CI/CD secrets, etc.”Do not rotate in place; revoke and reissue,” the Snyk researchers advised. “Do not attempt to clean compromised systems. Rebuild from a known-clean snapshot.”In the long term, organizations should enforce npm ci, ignore-scripts in CI/CD pipelines to prevent postinstall hooks from executing during automated builds and consider package age policies such as npm’s minimumReleaseAge setting. This gives development teams the ability to block the installation of packages that don’t have a minimum age, which would have blocked this attack since “plain-crypto-js” existed for less than 24 hours before being pulled into Axios’ dependency tree.The use of AI tools like Claude Code or OpenAI Codex in enterprise environments via their respective desktop apps extend the impact past developer environments. These tools are increasingly being used by non-developers in their work workflows, and LLMs tend to rely heavily on the npm and PyPI ecosystems for CLI tools.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4152696/attackers-trojanize-axios-http-library-in-highest-impact-npm-supply-chain-attack.html
