Axios Supply Chain Attack Causes Widespread Impact
A significant supply chain attack has recently impacted the popular Axios JavaScript library, causing widespread disruption. This incident stemmed from the hijacking of an Axios maintainer’s npm account. As a result, malicious updates were released, specifically versions v1.14.1 and v0.30.4. These compromised versions incorporated a hidden dependency known as plain-crypto-js, a remote access Trojan (RAT) capable of operating across various systems, including Windows, macOS, and Linux.
Details of the Axios Supply Chain Attack
The attackers did not alter the Axios source code directly. Instead, they injected the malicious package into the package.json file as a runtime dependency. When developers executed ‘npm install axios,’ the dependency tree was resolved automatically, installing plain-crypto-js alongside Axios.
Postinstall Dropper Mechanism
This installation process triggered a postinstall lifecycle hook. This hook executed a highly obfuscated Node.js script named setup.js. The script utilized a two-layer encoding scheme involving string manipulation and Base64 decoding.
Malicious Payload Delivery
The setup script functioned by querying the operating system and sending a request to a command-and-control (C2) server. The C2 server disguise its outbound traffic as benign npm registry requests. It included platform-specific paths for different operating systems, such as:
- macOS: packages.npm[.]org/product0
- Windows: packages.npm[.]org/product1
- Linux: packages.npm[.]org/product2
Execution of the Remote Access Trojan
Upon successfully connecting with the C2 server, different payloads were delivered based on the operating system:
- macOS: A Mach-O binary was downloaded and executed silently.
- Windows: A PowerShell script was executed by disguising a binary with the Windows Terminal application name.
- Linux: A Python RAT script was downloaded and run in the background.
Comparison with Existing Threats
Analysis of the used malware showed overlap with activities linked to the Democratic People’s Republic of Korea (DPRK). The malware identified within this campaign shares characteristics with previous threats, including the WAVESHAPER backdoor.
Impacted Sectors
This supply chain attack has affected numerous sectors worldwide, including:
- Business Services
- Financial Services
- Media and Entertainment
- Medical Equipment
- Retail Services
- Higher Education
- High Technology
Recommended Response Actions
To mitigate risks from this attack, organizations are advised to take the following actions:
- Immediate Assessment: Check for compromised Axios versions and the malicious plain-crypto-js package.
- Isolate Affected Systems: If malicious packages are discovered, isolate those systems from the network.
- Remediate and Rebuild: Consider fully rebuilding from a known-good state.
- Rotate Credentials: Assume all secrets accessible on potentially compromised machines have been stolen.
Long-Term Security Measures
In the wake of this threat, it is vital for organizations to review and enhance their cybersecurity practices. Key suggestions include:
- Use containers to isolate development environments.
- Migrate plaintext secrets into secure vaults.
- Deploy endpoint detection and response (EDR) solutions on developer workstations.
As attackers evolve their tactics, it becomes imperative for organizations to remain vigilant. The recent Axios supply chain attack highlights the ongoing need for robust cybersecurity strategies.
