Axios npm Supply Chain Compromise

By
Editor Dataproof
-
0
8

What is the Attack?

A software supply chain attack targeted the widely used JavaScript library Axios after an attacker reportedly compromised a maintainer’s npm account and published malicious package versions 1.14.1 and 0.30.4. These versions introduced a concealed dependency, plain-crypto-js@4.2.1, which executed during installation and deployed a cross-platform remote access trojan (RAT).

Axios is a widely adopted HTTP client for both browser and Node.js environments, with more than 100 million weekly downloads and extensive use across:

– Web applications
– Backend services
– CI/CD pipelines

The malicious versions were available for approximately 2–3 hours before being removed. Any system that executed npm install during that period and retrieved the affected versions should be treated as potentially fully compromised.

This is a high-impact software supply chain compromise that abused a trusted package distribution channel. By using a hidden dependency and install-time execution, the attacker enabled automated compromise at scale, with particular risk to developer workstations, build servers, and software delivery pipelines.

What is the recommended Mitigation?

To mitigate this vulnerability, users of affected packages should immediately downgrade to safe versions and audit their environments for indicators of compromise. Treat affected systems as fully compromised and perform the following actions:

  • Identify and remove:
    axios@1.14.1, axios@0.30.4
    plain-crypto-js
    Treat affected systems as fully compromised

  • Rotate:
    Credentials, tokens, API keys
    Rebuild environments from a trusted baseline

  • Enforce:
    Dependency pinning
    Install script restrictions (–ignore-scripts)
    Supply chain monitoring controls

What FortiGuard Coverage is available?

  • Lacework FortiCNAPP: Protects against the Axios npm supply-chain compromise by providing end-to-end visibility and threat detection across development, build, and runtime environments.

    At runtime, it uses behavioral analytics and composite alerts to flag suspicious processes, cross-platform RAT artifacts, and network communication with attacker infrastructure, enabling rapid identification and containment of compromised systems. Continuous threat intelligence updates ensure detection of evolving supply chain attacks, while automated prioritization and remediation guidance help organizations isolate affected hosts, remove malicious dependencies, and restore trusted development and production environments.

    Read the full solution: How does Lacework FortiCNAPP Protect | Fortinet Community

  • FortiGuard Incident Response: Organizations that suspect exposure to the compromised axios npm package (1.14.1, 0.30.4) should engage FortiGuard Incident Response for rapid investigation, containment, and recovery. FortiGuard IR provides expert-led analysis to identify affected systems and remove malicious dependencies.

  • FortiGuard Labs Threat Intelligence: FortiGuard Labs is actively monitoring software supply chain attacks targeting open-source ecosystems, including the axios compromise. This activity involves malicious package publication via compromised maintainer accounts, use of phantom dependencies, and post-install script execution to deploy cross-platform RAT payloads. Ongoing tracking includes malicious package versions, dependency abuse techniques, command-and-control infrastructure, and downstream impact across developer and enterprise environments. Intelligence updates, IOCs, and mitigation guidance will be continuously refined as additional data becomes available.

  • FortiGuard Antivirus & Behavior Detection: FortiGuard provides detection coverage for RAT payloads and malicious post-install behaviors associated with compromised npm packages.

– Read more

RELATED ARTICLESMORE FROM AUTHOR