A sophisticated supply chain attack has compromised the popular JavaScript HTTP client, Axios, injecting a malicious dependency that delivers a cross-platform Remote Access Trojan (RAT) to unsuspecting developers. The attack, which exploited a hijacked maintainer account, bypassed standard security measures and targeted Windows, macOS, and Linux systems.

Key Takeaways

• Two malicious versions of Axios (1.14.1 and 0.30.4) were published using compromised npm credentials.

• Attackers injected a fake dependency, "plain-crypto-js@4.2.1," which acted as a RAT dropper.

• The malware is designed to evade detection and cover its tracks after execution.

• Developers are urged to downgrade Axios and rotate credentials immediately.

The Attack Unfolds

The attackers gained control of the npm account belonging to Axios's primary maintainer, "jasonsaayman," and used it to publish two compromised versions of the package: and . Instead of altering Axios's source code, the threat actors introduced a malicious, undeclared dependency named . This package contained a post-install script that functioned as a dropper for a cross-platform RAT.

The attack was meticulously planned, with the malicious dependency staged 18 hours in advance and multiple payloads pre-built for different operating systems. The compromised versions were published within a short timeframe, and the malware was designed to self-destruct and remove traces of its presence after execution, making forensic analysis difficult.

Malware Capabilities and Evasion Tactics

Once installed, the package executed an obfuscated Node.js script. This script then deployed platform-specific second-stage payloads:

• macOS: An AppleScript payload fetched a trojan binary, disguised it as a system file, and executed it.

• Windows: The malware leveraged PowerShell, copying the binary to a fake system path and executing a VBScript to download and run a PowerShell RAT.

• Linux: A shell command was used to fetch and execute a Python RAT script.

All variants communicated with a command-and-control (C2) server, sending system reconnaissance data and awaiting further instructions. The RATs were capable of executing arbitrary commands, injecting binaries, and enumerating file systems. To evade detection, the malware performed several cleanup steps, including removing the post-install script and altering package manifest files.

Recommendations for Developers

Developers who may have installed the affected Axios versions ( or ) are strongly advised to take immediate action:

• Downgrade Axios: Revert to a safe version, such as axios@1.14.0 or axios@0.30.3.

• Remove Malicious Dependency: Ensure plain-crypto-js is removed from the node_modules directory.

• Rotate Credentials: Assume compromise and rotate all secrets, API keys, and credentials used on affected systems.

• System Audit: Check for RAT artifacts on macOS (/Library/Caches/com.apple.act.mond), Windows (%PROGRAMDATA%\wt.exe), and Linux (/tmp/ld.py).

• Audit CI/CD Pipelines: Review build processes for any exposure to the affected versions.

Given the widespread use of Axios, with over 80 million weekly downloads, this incident highlights the critical importance of supply chain security and vigilant dependency management within the software development lifecycle.

Sources

• Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account, The Hacker News.

• Top npm package backdoored to drop dirty RAT on dev machines • The Register, The Register.

• Axios npm Attack Pushes RAT Through Malicious Packages, SQ Magazine.

• Slow Fog warns devs over malicious axios malware campaign, crypto.news.

• Hackers Poison Axios npm Package with 100 Million Weekly Downloads, Hackread.