One of the most popular JavaScript libraries, Axios, was recently the victim of an attack that had fake, malicious versions available to roll out to developers. These malicious versions install a remote access trojan (RAT), which is, as the name implies, a kind of malware that allows an attacker to access compromised devices from a remote location.
Google has identified the attackers responsible as likely being UNC1069, “a financially motivated North Korea-nexus threat actor” that goes by CryptoCore.
They compromised the Axios maintainer’s npm account, npm being a trusted online registry of JavaScript code for users to share and use. Two poisoned packages were added to the Axios npm, and these added a new dependency that installs a RAT.
Malicious code never got into the official Axios software itself, which remains safe, but instead two separate malicious versions were published from an account that usually publishes legitimate Axios versions. Given the way npm works, these compromised, fake versions were able to be pushed to some developers.
The attack was staged almost a day in advance, the two poisoning attacks were timed pretty precisely, and evidence was erased post-exploit, pointing towards a calculated rather than opportunistic attack.
As cybersecurity company StepSecurity explains: “This was not opportunistic. It was precision. The malicious dependency was staged 18 hours in advance. Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other.
Every artifact was designed to self-destruct. Within two seconds of npm install, the malware was already calling home to the attacker’s server before npm had even finished resolving dependencies. This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package.”
However, it’s important to note that developers using Axios wouldn’t have been automatically infected. The malicious versions would have been automatically installed by many projects whenever they next run an npm install command. How often this command is run depends entirely on the company—maybe every week or two, or with a new package install.
(Image credit: Chris Ratcliffe/Bloomberg via Getty Images)
Given that the malicious versions were removed within a few hours, it’s likely that most developers using Axios are safe. However, BitDefender says its “telemetry confirms RAT execution attempts on customer systems, blocked by GravityZone and says “the blast radius is not theoretical.”
The company recommends identifying exposure, assessing for prior compromise, and monitoring outgoing. Malwarebytes says: “If you are a developer deploying Axios, treat any machine that installed the bad versions as potentially fully compromised and rotate secrets. The attacker may have obtained repo access, signing keys, API keys, or other secrets that can be used to backdoor future releases or attack your backend and users.”
Someone from a cybersecurity site and educational malware repo, VX-Underground, recently explained the severity of this on X as follows: “The impact from Axios being compromised is devastating, the fallout from this will be a massive headache. This is unironically a malware nuclear missile and will likely be studied in the future.”
