Threat Research

How we caught the Axios supply chain attack

Elastic.co
How we caught the Axios supply chain attack
The author built a proof-of-concept AI-driven monitor that diffs package releases and flagged a malicious npm compromise of Axios that used a phantom dependency with a postinstall hook to deploy cross-platform malware. The incident ties into a wider supply-chain campaign (Trivy → LiteLLM → Telnyx → Axios) attributed to TeamPCP, prompting coordinated detection, takedown, and recommendations for registry monitoring and release soak times. #Axios #TeamPCP

Keypoints

  • The author created supply-chain-monitor, a PoC that diffs package releases and uses an LLM (via Cursor) to classify changes as malicious or benign.
  • The tool detected a malicious npm compromise of axios (published as versions including 0.30.4 and 1.14.1) that used a phantom dependency (plain-crypto-js) with a postinstall hook to deploy malware.
  • The wider campaign included prior compromises: Trivy (stole CI/CD creds), LiteLLM (malicious PyPI releases), and Telnyx (steganographic payloads), demonstrating credential theft cascades.
  • Malicious techniques observed included base64 obfuscation, steganography (payloads in WAV files), a Windows persistence implant disguised as msbuild.exe, and exfiltration to a hardcoded C2.
  • The author coordinated rapid disclosure when registry/portal contact failed, published telemetry and analyses with Elastic Security Labs, and the axios maintainer quickly removed the malicious packages.
  • Practical mitigations recommended: automated diff+AI monitoring of top packages, faster credential rotation after breaches, and enforcing release “soak time” (e.g., npm/pnpm/yarn min-release-age settings).

MITRE Techniques

  • [T1195.002 ] Compromise Software Dependencies and Development Tools – Attackers introduced a malicious dependency that executed during installation (‘they added a phantom dependency called plain-crypto-js that ran a postinstall hook deploying cross-platform malware’).
  • [T1059 ] Command and Scripting Interpreter – The attack relied on lifecycle/script execution via npm postinstall hooks to run payloads on victims’ machines (‘postinstall hook deploying cross-platform malware’).
  • [T1027 ] Obfuscated Files or Information – Payloads and code were obfuscated using base64 to hinder analysis (‘base64 obfuscation’).
  • [T1027.005 ] Steganography – Attackers hid payloads inside WAV audio files as a covert storage and delivery mechanism (‘payloads hidden inside WAV audio files (steganography)’).
  • [T1041 ] Exfiltration Over C2 Channel – The malware exfiltrated data to a hardcoded command-and-control server (‘exfiltration to a hardcoded C2’).
  • [T1078 ] Valid Accounts – The adversary compromised a maintainer’s npm account and changed the email to one they controlled to publish malicious releases (‘compromised a maintainer’s npm account, changed the email to a ProtonMail account they controlled’).

Indicators of Compromise

  • [Package names/versions ] Malicious or impacted packages – axios v0.30.4, plain-crypto-js (malicious dependency), and other impacted packages like telnyx and LiteLLM.
  • [File names ] Notable artifact names observed – _client.py (telnyx modified file), msbuild.exe (Windows persistence implant disguised as legitimate filename).
  • [Registry/URLs ] Registry references and disclosure links – https://www.npmjs.com/package/axios/v/0.30.4, github.com/elastic/supply-chain-monitor (project/repo).
  • [Accounts/emails ] Account takeover indicator – maintainer npm account email replaced with a ProtonMail account (specific address not published).
  • [Network/C2 ] Command-and-control infrastructure (context only) – hardcoded C2 referenced by the malware (server details not disclosed in article).

Read more: https://www.elastic.co/security-labs/how-we-caught-the-axios-supply-chain-attack