Hackers hijacked the npm account for the popular Axios package and published two malicious releases that included a dependency which installs remote access trojans on Linux, Windows, and macOS. The tainted releases ([email protected] and [email protected]) lacked OIDC provenance, were staged in advance with OS-specific droppers that self-destruct, and users are advised to pin to [email protected] and [email protected], rotate credentials, and rebuild from known-good states. #Axios #plain-crypto-js
Keypoints
- Attackers compromised the npm account of Axios maintainer Jason Saayman to publish malicious releases.
- Two malicious package versions ([email protected] and [email protected]) included a staged dependency plain-crypto-js@^4.2.1 that runs a post-install dropper.
- The dropper delivers OS-specific RAT payloads: VBScript/PowerShell persistence on Windows, AppleScript-binaries on macOS, and a Python payload on Linux.
- After deployment the installer deletes itself and restores package.json to hide traces, and researchers found the dependency staged about 18 hours earlier.
- Mitigation: pin to [email protected] or [email protected], rotate credentials if compromised, and rebuild environments from a known good state.