The widely used HTTP client Axios was compromised recently in an incident that many researchers are attributing to a North Korean–linked cyberattack. Attackers gained access to the NPM account of an Axios maintainer, “jasonsaayman,” and published two malicious versions of the package. Read this Cybersecurity Threat Advisory to protect you and your clients’ environments.
What is the threat?
According to StepSecurity, two compromised versions of Axios—version 1.14.1 and version 0.30.4—were published using the stolen credentials of the maintainer. This allows the attackers to bypass Axios’s GitHub Actions CI/CD pipeline. These versions injected plain-crypto-js version 4.2.1 as a fake dependency.
The sole purpose of this injected dependency was to execute a post-install script that functions as a cross-platform remote access trojan (RAT) dropper. Once installed, it targets macOS, Windows, and Linux systems during the normal package installation process.
Why is it noteworthy?
After gaining a foothold, the RAT dropper contacts a live command-and-control (C2) server, which delivers a platform-specific second-stage payload. Following execution, the malware deletes itself and replaces the compromised package with a clean version in an effort to evade forensic detection.
This level of self-cleanup demonstrates increased sophistication compared to more common supply-chain attacks, as it significantly reduces visible indicators of compromise and makes detection and investigation more difficult.
What is the exposure or risk?
With more than 83 million weekly downloads, Axios is one of the most commonly used HTTP clients in the JavaScript ecosystem, powering frontend frameworks, backend services, and enterprise applications. Even brief insertion of malicious code into such a widely trusted dependency allows attackers to exploit routine software updates and automated build processes—often without immediate detection.
What are the recommendations?
Barracuda strongly recommends taking the following actions to reduce exposure and mitigate risk:
- Scan affected systems for exposed secrets, including API keys, tokens, and environment variables, and rotate them immediately.
- Remove any malicious artifacts from endpoints, build pipelines, and production environments.
- Downgrade Axios to a known safe version (version 1.14.0 or version 0.30.3).
References
For more in-depth information about the recommendations, please visit the following links:
- Axios NPM Distribution Compromised in Supply Chain Attack | Wiz Blog
- Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account
- Axios NPM Package Breached in North Korean Supply Chain Attack – SecurityWeek
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
