Two versions of the widely used Axios HTTP client library were found to contain malicious code this week, following a compromise of a developer account on the npm package registry. The incident, classified as a software supply chain attack, has raised significant security concerns for developers and organizations globally who rely on the open-source library for web communication.

Security researchers from StepSecurity identified that versions 1.14.1 and 0.30.4 of the Axios package were published with a harmful dependency. The malicious code was introduced via a package named “plain-crypto-js,” masquerading as version 4.2.1. The unauthorized publication was made possible after attackers gained access to the npm credentials of a primary maintainer for the Axios project.

Details of the Compromise

According to the investigation, the threat actors used the stolen credentials to publish the tainted versions. The malicious “plain-crypto-js” dependency was designed to download and execute a remote access trojan, or RAT, on infected systems. This type of malware provides attackers with extensive control over a compromised machine, allowing for data theft, surveillance, and further network penetration.

The attack is notable for its cross-platform capability; the RAT payload was configured to run on Windows, Linux, and macOS systems. This broad targeting increases the potential impact, affecting developers across different operating environments. The fake dependency was crafted to appear legitimate, a common tactic in supply chain attacks to evade initial scrutiny.

Response and Mitigation

Upon discovery, the malicious versions were swiftly reported and subsequently removed from the npm registry. The Axios maintainers have since regained control of the account and have published clean versions. Official advisories have been issued, urging all users to immediately check their projects and revert to known safe versions, specifically 1.14.0 or 0.30.3, and to remove any installed instances of the compromised releases.

Security firms and open-source communities have disseminated indicators of compromise, including file hashes and network signatures associated with the RAT. Developers are advised to scan their build pipelines and dependencies for any references to “[email protected]” or the specific Axios versions involved.

Broader Implications for Open Source

This event underscores persistent vulnerabilities in the open-source software ecosystem. Supply chain attacks, which poison trusted software at its source, are increasingly favored by advanced threat actors due to their high leverage; a single compromised package can infect thousands of downstream applications and services.

The incident highlights the critical importance of securing maintainer accounts with strong, multi-factor authentication and monitoring publication activities for anomalies. It also reinforces the need for organizations to implement robust software bill of materials practices and automated dependency scanning to detect such compromises quickly.

Security analysts expect the maintainers of the Axios library and npm registry administrators to conduct a thorough post-mortem analysis. The findings will likely lead to updated security guidelines for high-impact packages. Further collaboration between open-source foundations and security vendors to protect critical digital infrastructure is anticipated in the wake of this attack.

Source: Based on reporting from StepSecurity and npm security advisories.