An attacker compromised the npm account of a lead Axios maintainer on March 30 and used it to publish two malicious versions of the widely used JavaScript HTTP client library, according to StepSecurity. The poisoned releases, axios@1.14.1 and axios@0.30.4, injected a hidden dependency that silently installed a cross-platform remote access trojan on developer machines running macOS, Windows, and Linux. Axios is downloaded roughly 100 million times per week on npm.
Both malicious versions added a single new dependency to the package manifest: plain-crypto-js@4.2.1, a purpose-built trojan disguised as the legitimate crypto-js library. The package was never imported or referenced anywhere in Axios source code. Its only function was to execute a postinstall script that contacted a command-and-control server at sfrclak.com, downloaded a platform-specific RAT payload, and then destroyed all evidence of its own execution.
Article continues below
StepSecurity’s runtime analysis confirmed that the dropper made its first outbound connection to the C2 server just 1.1 seconds after npm install began. On macOS, the RAT binary was written to /Library/Caches/com.apple.act.mond, mimicking an Apple system process. On Windows, the malware copied PowerShell to %PROGRAMDATA%\wt.exe and executed a hidden script. On Linux, it downloaded a Python-based RAT to /tmp/ld.py.
Follow Tom’s Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
Click Here For The Original Source.
