The widely used Axios HTTP client library for JavaScript has been compromised in a significant supply chain attack. Security researchers discovered that two recently published versions of the package on the npm registry, 1.14.1 and 0.30.4, contain malicious code designed to install a trojan on developers' systems.
According to a report from StepSecurity, the attack was executed by injecting a malicious dependency named "plain-crypto-js" into the compromised Axios versions. This method suggests an attacker gained unauthorized access to a project maintainer's account to publish the tainted packages. Once installed, the malicious dependency deploys a cross-platform Remote Access Trojan (RAT).
This type of malware is particularly dangerous as it grants attackers extensive control over an infected machine. A RAT can be used to execute arbitrary commands, access and exfiltrate sensitive files like source code or credentials, and monitor system activity. The malware is engineered to function on Windows, macOS, and Linux, expanding its reach from individual developer workstations to production servers running Node.js applications.
Given Axios's immense popularity, with millions of weekly downloads, the potential impact of this compromise is severe. Countless web applications, backend services, and development environments could be affected, putting organizations at risk of data breaches and further network intrusion.
Developers and organizations using Axios are strongly advised to immediately audit their projects and dependencies. If versions 1.14.1 or 0.30.4 are in use, they should be removed and replaced with a known safe version. This incident highlights the persistent threat of supply chain attacks targeting critical open-source software projects.
