Palo Alto Networks Unit 42 discovered that attackers hijacked an Axios maintainer’s npm account to publish compromised Axios versions v1.14.1 and v0.30.4 which injected the malicious dependency plain-crypto-js (versions 4.2.0/4.2.1) acting as a cross-platform remote access trojan (RAT) for Windows, macOS, and Linux. The postinstall dropper (setup.js) used heavy obfuscation to fetch platform-specific payloads from sfrclak[.]com:8000, exhibited overlap with WAVESHAPER and DPRK-linked activity, and prompted wide mitigations including downgrading Axios and blocking C2 traffic. #Axios #plain-crypto-js
Keypoints
- Attackers hijacked an Axios maintainer’s npm account and published compromised releases v1.14.1 and v0.30.4 without modifying Axios source code, instead injecting a runtime dependency plain-crypto-js.
- The injected package triggered npm’s postinstall hook to run an obfuscated Node.js dropper (setup.js) that used string reversal, Base64 decoding and an XOR cipher (OrDeR_7077) to hide its actions.
- The dropper contacted a C2 at sfrclak[.]com:8000 using platform-specific paths (packages.npm[.]org/product0/1/2) to download macOS, Windows, or Linux RAT payloads.
- Payloads implemented a unified RAT framework in C++, PowerShell and Python, beaconing every 60 seconds, supporting commands (kill, runscript, peinject, rundir) and establishing persistence (including a Windows Run registry key).
- Forensic cleanup was performed by the dropper (deleting setup.js, removing postinstall hook, replacing package.json with decoy package.md) to hide signs of compromise.
- Unit 42 notes overlap with WAVESHAPER and previously DPRK-linked operations and provides multiple mitigations: auditing packages, downgrading/pinning Axios, blocking C2 traffic, rotating credentials, and rebuilding compromised systems.
- Palo Alto Networks product protections (Advanced WildFire, Cortex XDR, XSIAM, Cortex Cloud) and Unit 42 incident response services were highlighted as available defenses and response options.
MITRE Techniques
- [T1105 ] Ingress Tool Transfer – The dropper fetched platform-specific payloads from a remote C2 at sfrclak[.]com:8000 (‘the dropper queries the operating system and sends an HTTP POST request to a command-and-control (C2) server at sfrclak[.]com:8000’).
- [T1204.005 ] User Execution: Malicious File – The malicious package exploited npm postinstall execution to run an obfuscated Node.js dropper (‘npm’s postinstall lifecycle hook, executing a heavily obfuscated Node.js dropper script named setup.js’).
- [T1219 ] Remote File Copy – The attack staged and deployed platform-specific payloads by downloading executables or scripts to victim systems (‘the dropper uses AppleScript to download a C++ compiled Mach-O binary… copies the Windows PowerShell binary to %PROGRAMDATA%wt.exe… downloads a Python RAT script to /tmp/ld.py’).
Indicators of Compromise
- [SHA256 Hash ] Malicious payload and installer hashes – ad8ba560ae5c4af4758bc68cc6dcf43bae0e0bbf9da680a8dc60a9ef78e22ff7, fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf, and 28 more hashes
- [Domain / URL ] Command-and-control domains and URLs – sfrclak[.]com, callnrwise[.]com, and hxxp://sfrclak[.]com:8000/6202033 (used by the dropper to fetch stage-two payloads)
- [IP Address ] C2 infrastructure – 142.11.206[.]73 (noted C2 IP for sfrclak[.]com)
- [File paths / filenames ] Platform-specific malware artifacts and drop locations – /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%wt.exe (Windows), /tmp/ld.py (Linux)
- [Package names / versions ] Compromised and malicious npm packages – axios v1.14.1 and v0.30.4 (compromised releases), [email protected] (injected malicious dependency; 4.2.0 also referenced)
Read more: https://unit42.paloaltonetworks.com/axios-supply-chain-attack/