7 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
A supply chain attack targeted the widely used axios npm package by compromising the maintainer account and publishing malicious versions directly to the npm registry.
The attacker introduced a hidden dependency, plain-crypto-js@4.2.1, which executed automatically via a postinstall script during npm installation. This behavior required no user interaction beyond running npm install, making the attack highly effective across developer environments, CI/CD pipelines, and production systems.
The malicious payload deployed a cross-platform Remote Access Trojan affecting Windows, macOS, and Linux systems. It established communication with attacker-controlled infrastructure, executed additional payloads, and harvested sensitive data including SSH keys, cloud credentials, environment variables, and CI/CD secrets.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Supply Chain Compromise in Axios npm Package
PoC or Exploitation:
This is an actively exploited supply chain attack. Malicious versions of axios were published to npm and automatically executed a payload during installation. Exploitation required no user interaction beyond running npm install, making it highly effective across developer environments, CI/CD pipelines, and production systems.
Update/ Patch:
Malicious versions have been removed from npm.
Affected versions:
- axios 1.14.1
- axios 0.30.4
Safe versions:
- axios 1.14.0 and earlier (1.x branch)
- axios 0.30.3 and earlier (0.x branch)
Organizations should immediately downgrade or pin to known safe versions and audit environments for compromise.
Reference and advisory:
Description:
A supply chain attack targeted the widely used axios npm package by compromising the maintainer account and publishing malicious versions directly to the npm registry.
The attacker injected a hidden dependency, plain-crypto-js@4.2.1, which was not used by the application but executed automatically via a postinstall script during npm installation.
This malicious dependency deployed a cross-platform Remote Access Trojan affecting Windows, macOS, and Linux systems. The malware established communication with a command-and-control server, executed additional payloads, harvested sensitive data such as SSH keys, cloud credentials, environment variables, and CI/CD secrets, and attempted to remove traces of its execution.
Mitigation Recommendation:
Immediately remove any usage of axios versions 1.14.1 and 0.30.4.
Pin axios to a known safe version and avoid using floating version ranges.
Audit systems for indicators of compromise, including the presence of the plain-crypto-js package in node_modules.
Treat all secrets in affected environments as compromised and rotate credentials immediately.
Review CI/CD pipeline logs and recent builds for suspicious activity during the exposure window.
Implement dependency security controls such as package pinning, integrity verification, and monitoring for anomalous package behavior.
