CP
cyberpings
Malware & RansomwareHIGH

Axios NPM Package Compromised - Supply Chain Attack Exposed

Featured image for Axios NPM Package Compromised - Supply Chain Attack Exposed
TMTrend Micro Research·Reporting by Peter Girnus
Summary by CyberPings Editorial·AI-assisted·Reviewed by Rohit Rana
Ingested:
🎯

Basically, hackers took over Axios to install sneaky malware on users' computers.

Quick Summary

A major supply chain attack compromised the Axios NPM package, affecting millions of users. Malicious versions deployed a RAT, posing serious security risks. Swift action was taken to remove the threats.

What Happened

On March 30, 2026, the Axios NPM package, a widely used JavaScript HTTP client, fell victim to a supply chain attack. Attackers hijacked the npm account of the lead maintainer, publishing two malicious versions (1.14.1 and 0.30.4) that included a phantom dependency designed to deploy a cross-platform remote access trojan (RAT). This malware could execute on macOS, Windows, and Linux, making it a significant threat to users.

Who's Affected

The attack impacted Axios users globally, with over 100 million weekly downloads. Organizations across various sectors, including Government, Finance, Retail, and Technology, were potentially affected by this breach. The rapid deployment of the malicious versions raised concerns about supply chain security in the software ecosystem.

What Data Was Exposed

While specific user data exposure was not detailed, the malware's ability to install a RAT means that attackers could gain unauthorized access to sensitive information from affected systems. The malware was designed to erase its own traces, complicating detection and forensic analysis.

What You Should Do

If you are using Axios, ensure you update to the latest version immediately. Monitor your systems for any suspicious activity, especially if you installed versions 1.14.1 or 0.30.4. Additionally, consider employing security tools that can detect and mitigate RATs and other malware threats.

Technical Analysis

The attack was meticulously planned. The attacker published a phantom dependency, plain-crypto-js@4.2.1, which was not used in Axios code but executed a post-install hook to install the RAT. This technique is known as a phantom dependency attack, where a package is added solely for its side effects during installation.

How the Maintainer Account Was Hijacked

The attacker compromised the maintainer's npm account by changing the email to a controlled address. This allowed them to publish malicious versions without the usual safeguards. The malicious versions bypassed GitHub Actions' OIDC Trusted Publisher protections, as they were published manually with a stolen npm token.

Forensic Analysis

Forensic investigations revealed advanced obfuscation techniques in the malware, making it difficult to analyze. The RAT was designed to self-destruct after execution, replacing its files with clean decoys to avoid detection. Automated npm security scanners flagged the malicious dependency within minutes, leading to a swift response from npm administration, which removed the compromised packages shortly after their discovery.

Conclusion

This incident underscores the critical need for enhanced security measures in the software supply chain. Developers and organizations must prioritize dependency management and implement robust security practices to mitigate similar risks in the future.

🔒 Pro insight: This incident highlights the vulnerabilities in supply chain security, emphasizing the need for stricter dependency management and monitoring practices.

Original article from

TMTrend Micro Research· Peter Girnus
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malicious Email Delivers CMD Malware - Privilege Escalation Alert

A malicious email has delivered a .cmd malware file that escalates privileges and bypasses antivirus systems. Users are at risk of significant system compromise. Awareness and immediate action are vital to mitigate this threat.

Security Affairs·
HIGHMalware & Ransomware

Brokk Hacked - Play Ransomware Exposes Sensitive Data

Brokk has reportedly been hacked by Play ransomware, leading to the leak of sensitive corporate data. This incident could severely impact the company's reputation and security. Organizations must bolster their defenses to prevent similar breaches.

SC Media·
HIGHMalware & Ransomware

Chaos Malware - New Targeting of 64-bit Linux Servers

Chaos malware has evolved to target 64-bit Linux servers, expanding its attack surface. This shift raises alarms for organizations relying on these systems. Enhanced security measures are now crucial to protect against potential larger-scale attacks.

SC Media·
HIGHMalware & Ransomware

Phorpiex Botnet - Spreading Ransomware and Sextortion Tactics

The notorious Phorpiex botnet is back, spreading ransomware and sextortion schemes. Millions are at risk as it targets users globally. Stay alert and protect your devices from this evolving threat.

Cyber Security News·
HIGHMalware & Ransomware

SparkCat Variant - New Malware Steals Crypto Wallet Images

A new SparkCat malware variant has been found in iOS and Android apps, targeting crypto wallet recovery phrases. This poses a significant risk to users. Stay vigilant and protect your data!

The Hacker News·
HIGHMalware & Ransomware

Boeing RFQ Malware Campaign - Hackers Deploy Six-Stage Attack

A new malware campaign is targeting industrial suppliers with fake Boeing RFQ emails. This sophisticated attack uses multiple file types to evade detection. Organizations need to be aware and take action to protect themselves.

Cyber Security News·