Malicious Code Hits 100M Downloads Via Axios

Malicious Code Hits 100M Downloads Via Axios

JavaScript developers received alarming news recently with the discovery of a sophisticated security threat targeting Axios, a widely-used library downloaded over 100 million times weekly from npm. This incident highlights a significant supply chain attack that could compromise developer machines and automated build systems.

What Happened with Axios?

For over a decade, developers have relied on Axios to simplify making network requests in JavaScript environments like Node.js and web browsers. However, two malicious versions of the Axios library were recently published to the npm registry. These versions contained a highly advanced attack designed to install a remote access Trojan (RAT) on affected systems. The attack is particularly concerning because Axios itself does not contain any malicious code. Instead, the attacker introduced a rogue dependency that executed a post-install script. This script then downloaded the RAT from a command and control server, which subsequently erased its own tracks, making detection difficult.

How the Attack Works

The attack begins when a developer installs one of the compromised Axios versions. A special script, triggered automatically after installation, runs hidden code. This code, known as a “RAT dropper,” first identifies the operating system of the machine. It then contacts a remote server to download a second piece of malicious software, the actual RAT, specifically designed for that system. Once downloaded, this RAT is executed, giving attackers remote control over the compromised machine. From there, they can steal sensitive information like API keys for services such as AWS and OpenAI, along with other critical data stored on the system.

After successfully installing the RAT, the malicious script works to cover its tracks. It deletes itself, removes the post-install script, and modifies package files to ensure that standard security checks, like running an `npm audit`, do not flag any issues. This stealthy approach makes it harder for developers to realize their systems have been infiltrated.

How to Check if You’re Affected

Developers can take steps to determine if their projects are vulnerable. The first step is to check the `package.json` file for the installed versions of Axios. If versions 1.6.7 or 1.6.8 are present, the project might be affected. These versions could have triggered the installation of another package called `plain-crypto-JS`. Developers should then look for this `plain-crypto-JS` package within their `node_modules` folder.

If both the suspicious Axios versions and `plain-crypto-JS` are found, further checks can be run using specific commands for Mac, Windows, and Linux. These commands help confirm if the actual RAT is present on the machine. If the RAT is detected, it means the system is compromised. Simply deleting the RAT is not sufficient to secure the system.

What to Do If Compromised

If a system is found to be compromised by the RAT, immediate action is crucial. Developers must immediately rotate all API keys and security tokens that might have been exposed. For detailed instructions and further guidance on cleaning and securing a compromised system, resources like the guide provided by Step Security are recommended.

The Root Cause: Account Compromise

The attack originated from a compromise of the project maintainer’s npm account. While the exact method used to obtain the npm access token is unclear, the attacker was able to publish malicious versions of the Axios library. The attacker also maintained a package named `plain-crypto.js`, which mimicked a legitimate cryptography library, `cryptojs`. This allowed them to introduce the malicious post-install script under the guise of a trusted package.

This incident underscores the risks associated with relying on third-party libraries, even popular ones. While Axios has long been favored for its ease of use, the rise of native browser APIs like `fetch` has made such libraries less essential for basic functions. However, many developers continue to use them for added convenience and features, a choice that can introduce significant security vulnerabilities if not managed carefully.

Why This Matters

This sophisticated attack on a library used by millions of developers sends a clear warning about the vulnerabilities within software supply chains. It demonstrates how attackers can exploit trusted open-source packages to distribute malware widely and stealthily. The compromise of credentials and API keys can lead to significant financial losses, data breaches, and reputational damage for individuals and companies. It highlights the critical need for enhanced security practices in open-source development, including stricter account security, code review processes, and more robust dependency scanning tools.

Sponsor Spotlight: Mux

The video also briefly mentioned Mux, an API for hosting and streaming videos. Mux offers tools to programmatically interact with video content, such as extracting captions and clips for features like video search and content moderation. They also maintain the popular open-source video player, Video.js, which recently released a smaller, more modern version 10. Mux provides a free tier with 10 videos and 100,000 delivery minutes per month, with additional credits available for new sign-ups.

Source: Millions of JS devs just got penetrated by a RAT… (YouTube)