The NPM package for Axios, a popular JavaScript HTTP client library, was briefly compromised this week, possibly by North Korean threat actors.
The Axios JavaScript NPM package was recently compromised, representing one of the highest impact supply chain attacks against the open source development ecosystem in recent months.
Axios is the most popular JavaScript HTTP client library and is downloaded more than 400 million times per month on NPM. Software development security vendor StepSecurity identified and reported yesterday that two malicious versions had been published to NPM: axios@1.14.1 and axios@0.30.4.
As StepSecurity explained in its blog post on the incident, these malicious versions include a new malicious dependency named "plain-crypto-js@4.2.1." Apparently impersonating the otherwise legitimate crypto-js library, plain-crypto-js executes a script that installs a remote-access Trojan (RAT) capable of functioning across Windows, Linux, and Mac. The attack apparently began because the lead maintainer's account, "jasonsaayman," was compromised.
"The dropper contacts a live command-and-control server and delivers platform-specific, second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection," StepSecurity's blog read. "There are zero lines of malicious code inside axios itself, and that's exactly what makes this attack so dangerous."
The packages were active for a few hours (around three hours for both Axios versions) before NPM fully removed all traces of the campaign. Because Axios is so popular, and because the malicious versions were up for a decent chunk of time (one version of plain-crypto-js was publicly exposed for more than 21 hours before receiving a security hold, according to an Endor Labs blog), organizations should check for indicators of compromise (available in the StepSecurity, Endor Labs, and Socket blog posts).
Feross Aboukhadijeh, CEO of Socket, tells Dark Reading in an email that in the JavaScript ecosystem, "this is the kind of incident where teams should drop everything and verify their dependencies immediately."
Google Threat Intelligence Group chief analyst John Hultquist writes in an emailed statement that while the full breadth of the incident remains unclear, Google expects it to have a far-reaching impact. It's worth noting that North Korea has done this kind of thing before.
Kurmi says that based on how the RAT operates (and not accounting for other vendor attributions), the Axios attacker could be interested in access brokering or espionage.
"The RAT's first action is device profiling (hostname, username, OS, processes, directory walk) before doing anything else — that's cataloging, not looting. A blunt infostealer grabs credentials and leaves; this one fingerprints the environment and waits for instructions, pointing to initial access brokerage or targeted espionage," he says. "Axios lives in developer environments holding source code, deploy keys, and cloud credentials a cryptominer has no use for, and the 18-hour pre-staging, simultaneous branch poisoning, and anti-forensics suggest an actor who has done this before."
If North Korea is involved, Kurmi says that changes the story significantly, as UNC1069 is best known as an arm of North Korea's Lazarus Group responsible for filling DPRK coffers. They steal cryptocurrency and seize credentials that can be used to access wallets or fintech architecture. Moreover, "What makes this particularly notable is that it would represent DPRK's first successful compromise of a top-10 npm package."
"The malicious dependency was staged 18 hours in advance. Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other. Every artifact was designed to self-destruct. Within two seconds of npm install, the malware was already calling home to the attacker's server before npm had even finished resolving dependencies," the blog post read. "This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package."
StepSecurity's Ashish Kurmi tells Dark Reading this was far more sophisticated than a typical NPM attack, as most rely on typosquatting, but "this required compromising a real maintainer account, bypassing Axios' OIDC-based publishing pipeline, and building anti-forensics that make npm list report the wrong version post-infection."
Kurmi calls that "operational tradecraft," not a script. "We've been tracking several supply chain attacks from last year to this year — the Shai-Hulud attacks, the Nx Singularity incident, the tj-actions/changed-files compromise, the Trivy compromise, Checkmarx KICS, the LiteLLM PyPI compromise, the Canister worm, and now Axios — each one has shown a step up in operational sophistication and anti-forensic awareness."
As for how "bad" this attack is from the defender's point of view, Kurmi notes that the total installs would have been limited because the primary exposure window (not causing the one aforementioned exception) was only about three hours in practice. However, developers that were impacted during that time would have likely seen no error, warning, or trace left behind. As such, "A quiet, traceless compromise of a developer's machine is a fundamentally different risk than something loud that gets patched fast."
Endor Labs security researcher Peyton Kennedy agrees the attack is a big step up in its sophistication.
"Last year, Shai-hulud's worm-based propagation was novel, and we've since seen that technique replicated in CanisterWorm and other campaigns. This attack is a different kind of escalation: staged dependency seeding to evade scanners, platform-specific payload chains, and self-deleting anti-forensic cleanup," Kennedy says. "This looks like deliberate, planned tradecraft from an experienced threat actor."
The Axios JavaScript NPM package was recently compromised, representing one of the highest impact supply chain attacks against the open source development ecosystem in recent months.
Axios is the most popular JavaScript HTTP client library and is downloaded more than 400 million times per month on NPM. Software development security vendor StepSecurity identified and reported yesterday that two malicious versions had been published to NPM: axios@1.14.1 and axios@0.30.4.
As StepSecurity explained in its blog post on the incident, these malicious versions include a new malicious dependency named "plain-crypto-js@4.2.1." Apparently impersonating the otherwise legitimate crypto-js library, plain-crypto-js executes a script that installs a remote-access Trojan (RAT) capable of functioning across Windows, Linux, and Mac. The attack apparently began because the lead maintainer's account, "jasonsaayman," was compromised.
"The dropper contacts a live command-and-control server and delivers platform-specific, second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection," StepSecurity's blog read. "There are zero lines of malicious code inside axios itself, and that's exactly what makes this attack so dangerous."
The packages were active for a few hours (around three hours for both Axios versions) before NPM fully removed all traces of the campaign. Because Axios is so popular, and because the malicious versions were up for a decent chunk of time (one version of plain-crypto-js was publicly exposed for more than 21 hours before receiving a security hold, according to an Endor Labs blog), organizations should check for indicators of compromise (available in the StepSecurity, Endor Labs, and Socket blog posts).
Feross Aboukhadijeh, CEO of Socket, tells Dark Reading in an email that in the JavaScript ecosystem, "this is the kind of incident where teams should drop everything and verify their dependencies immediately."
What Do the Axios Attackers Want?
Attribution has been a dynamic topic, to say the least. Early reports tied activity to TeamPCP, a threat actor known for conducting cloud-native threat activity, including ransomware attacks. However, today Google sent a statement to Dark Reading attributing the attack to suspected North Korean threat actor UNC1069.Google Threat Intelligence Group chief analyst John Hultquist writes in an emailed statement that while the full breadth of the incident remains unclear, Google expects it to have a far-reaching impact. It's worth noting that North Korea has done this kind of thing before.
Kurmi says that based on how the RAT operates (and not accounting for other vendor attributions), the Axios attacker could be interested in access brokering or espionage.
"The RAT's first action is device profiling (hostname, username, OS, processes, directory walk) before doing anything else — that's cataloging, not looting. A blunt infostealer grabs credentials and leaves; this one fingerprints the environment and waits for instructions, pointing to initial access brokerage or targeted espionage," he says. "Axios lives in developer environments holding source code, deploy keys, and cloud credentials a cryptominer has no use for, and the 18-hour pre-staging, simultaneous branch poisoning, and anti-forensics suggest an actor who has done this before."
If North Korea is involved, Kurmi says that changes the story significantly, as UNC1069 is best known as an arm of North Korea's Lazarus Group responsible for filling DPRK coffers. They steal cryptocurrency and seize credentials that can be used to access wallets or fintech architecture. Moreover, "What makes this particularly notable is that it would represent DPRK's first successful compromise of a top-10 npm package."
New Standard for Open Source Supply Chain Attack Sophistication
The open source supply chain has faced a number of noteworthy threats in recent months, such as Shai-hulud and GlassWorm, but the attack on Axios stands out for a few different reasons. While many of the open source supply chain attacks relied on more opportunistic means of infection and blunt force infostealers, StepSecurity used the word "precision" to describe this attack."The malicious dependency was staged 18 hours in advance. Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other. Every artifact was designed to self-destruct. Within two seconds of npm install, the malware was already calling home to the attacker's server before npm had even finished resolving dependencies," the blog post read. "This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package."
StepSecurity's Ashish Kurmi tells Dark Reading this was far more sophisticated than a typical NPM attack, as most rely on typosquatting, but "this required compromising a real maintainer account, bypassing Axios' OIDC-based publishing pipeline, and building anti-forensics that make npm list report the wrong version post-infection."
Kurmi calls that "operational tradecraft," not a script. "We've been tracking several supply chain attacks from last year to this year — the Shai-Hulud attacks, the Nx Singularity incident, the tj-actions/changed-files compromise, the Trivy compromise, Checkmarx KICS, the LiteLLM PyPI compromise, the Canister worm, and now Axios — each one has shown a step up in operational sophistication and anti-forensic awareness."
As for how "bad" this attack is from the defender's point of view, Kurmi notes that the total installs would have been limited because the primary exposure window (not causing the one aforementioned exception) was only about three hours in practice. However, developers that were impacted during that time would have likely seen no error, warning, or trace left behind. As such, "A quiet, traceless compromise of a developer's machine is a fundamentally different risk than something loud that gets patched fast."
Endor Labs security researcher Peyton Kennedy agrees the attack is a big step up in its sophistication.
"Last year, Shai-hulud's worm-based propagation was novel, and we've since seen that technique replicated in CanisterWorm and other campaigns. This attack is a different kind of escalation: staged dependency seeding to evade scanners, platform-specific payload chains, and self-deleting anti-forensic cleanup," Kennedy says. "This looks like deliberate, planned tradecraft from an experienced threat actor."