A recent supply chain attack targeting the widely used Axios npm package has generated significant concern within the JavaScript ecosystem. Specific published versions of Axios were discovered to contain a malicious dependency capable of granting attackers remote access to compromised systems. Given Axios’s prevalence in both frontend and backend development, this incident poses a substantial risk to numerous projects.
The compromised releases include axios 1.14.1 and axios 0.30.4. These versions incorporated plain-crypto-js 4.2.1, which researchers identified as a malicious package. Analysis revealed that the dependency employed a multi-stage payload capable of executing arbitrary commands, exfiltrating system information, and maintaining persistence on the affected machine. This incident, therefore, represents a sophisticated malware-delivery mechanism embedded within a trusted dependency chain, rather than a minor package issue.
A notable irregularity in this incident is that the affected Axios release did not adhere to the project’s standard publishing procedures. When the issue was reported, the new version was available on npm, yet there was no corresponding GitHub tag in the Axios repository. This discrepancy indicates that the package may have been published outside the maintainers’ established release workflow, which constitutes a significant security concern in open-source software.
Researchers determined that the malicious dependency was published only minutes prior to the release of the compromised Axios versions. This timing suggests that the dependency was intentionally staged and subsequently integrated into Axios. Such subtle modifications are common in supply chain attacks, as they can evade detection during routine reviews, particularly when malicious code is concealed within less-scrutinized transitive dependencies.
The malware was engineered to activate during installation via the npm postinstall hook. Upon execution, it launched a dropper script that identified the target operating system and downloaded a tailored payload for Windows, macOS, or Linux environments. The malicious code further employed obfuscation techniques to conceal critical elements, including file paths, commands, and its command-and-control infrastructure.
On macOS, the second-stage payload reportedly functioned as a comprehensive remote access trojan, capable of system profiling, data exfiltration to a command server, and execution of additional commands. The Windows and Linux variants utilized distinct delivery mechanisms. Notably, the malware attempted to erase evidence post-execution by deleting its setup script and replacing modified package files with benign-appearing versions. Such anti-forensics measures significantly hinder detection efforts by developers reviewing installed dependencies retrospectively.
This attack underscores that even widely trusted packages can pose significant risks if the software supply chain is compromised. Developers may assume that established packages such as Axios are inherently secure, yet incidents of this nature highlight the importance of rigorous dependency management. Practices such as auditing lockfiles, thoroughly reviewing dependency changes, monitoring package updates, and employing tools to detect anomalous behavior are essential for mitigating such threats.
Users of Axios are advised to promptly audit their projects for the affected versions and to check for the presence of the malicious plain-crypto-js package. If these versions are detected, they should be removed or reverted to a verified safe release without delay. Given the evolving nature of such incidents, it is critical to remain informed through security advisories and package ecosystem alerts.
Source: https://socket.dev/blog/axios-npm-package-compromised