GoKawiilHackers hijacked the npm account of the Axios package, a JavaScript HTTP client with 100M+ weekly downloads, to deliver remote access trojans to Linux, Windows, and macOS systems.
According to reports from software supply chain security and application security companies Endor Labs, Socket, Aikido, and StepSecurity, the threat actor published on the Node Package Manager (npm) registry two malicious versions of the package
One malicious variant, [email protected], was published today at 00:21 UTC, while the second one, [email protected], emerged less than an hour later, at 01:00 UTC.
The packages were published without the automated OpenID Connect (OIDC) package origin and no matching GitHub commit appeared, which should trigger an alert immediately.
The researchers say that the threat actor gained access to the package after compromising the npm account of Jason Saayman, the main Axios maintainer.
It is unclear how many downstream projects have been impacted by the supply-chain attack during the nearly three-hour exposure window.
Given that the Axios npm package has around 400 million monthly downloads, the number may be significant.
Axios is an HTTP client for JavaScript applications that manages requests between clients, such as browsers or Node.js apps, and servers. Its purpose is to simplify communication via GET, POST, PUT/PATCH, and DELETE requests.
Infection chain
After getting access to the package, the attacker injected a malicious dependency called plain-crypto-js@^4.2.1 into the package.json file and did not alter the Axios code.
... continue reading