Executive Summary

On March 30^th, An NPM supply chain attack was performed on the widely used NPM package Axios. Axios is one of the most ubiquitous JavaScript libraries, and is commonly seen in most JavaScript deployments. The attackers gained access to the NPM credentials of one of the Axios developers and released a malicious package that would fetch and install a cross-platform Remote Access Trojan (RAT) to macOS, Windows, and Linux systems.

The malicious libraries published to NPM were removed within three hours and are not available to download as of the time of publication.

Organizations that are affected should immediately audit to see npm packages to confirm whether axios@1.14.1 or axios@0.30.4 were installed. If so treat the machine as compromised and follow the Mitigations and Workarounds below.

Affected Systems or Products

Mitigations / Workarounds

Block the endpoint used for Command and Control for this attack: sfrclak[.]com on port 8000 at the time of the attack this was resolving to 142.11.206.73 If you believe that a machine has already been compromised, we do not advise cleaning in place and recommend re-imaging or rebuilding affected machines from known good images. Using pinned versions of libraries is recommended to prevent this kind of attack if new malicious versions are released for any library. To specifically pin axios to a known unaffected version perform the following depending on your existing version:

• 

  npm install axios@1.14.0
• 

  npm install axios@0.30.3

NPM offers a configuration npm config set min-release-age 3 that will enforce a two to 3 day waiting period on new package releases before installing them on your machine. This is advised for all developers using external packages. For machines running without human interaction, such as CI/CD pipelines we advise not only version pinning of packages but disabling scripts on installs with the --ignore-scripts argument wherever possible.

Patches

While not strictly a patch, ensuring that any installed affected npm packages are removed and purged from your machines is strongly recommended. This involves removing the affected packages and installing pinned versions of the unaffected axios package:

• 

  rm -rf node_modules/plain-crypto-js
• 

  npm install --ignore-scripts
• 

  npm cache clean –force

Indicators of Compromise

• 

  Network Activity

  • 

    sfrclak[.]com:8000
  • 

    callnrwise[.]com
  • 

    142.11.206[.]73
• 

  Windows Files

  • 

    %PROGRAMDATA%\wt.exe
  • 

    %PROGRAMDATA%\system.bat
  • 

    %TEMP%\6202033.vbs
  • 

    %TEMP%\6202033.ps1
  • 

    %TEMP%\<GUID>.ps1
• 

  Windows Registry Entries

  • 

    Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • 

    Name: MicrosoftUpdate
  • 

    Value: %PROGRAMDATA%\system.bat
• 

  macOS Files

  • 

    /Library/Caches/com.apple.act.mond
  • 

    /tmp/.XXXXXX.scpt
  • 

    /private/tmp/.*
• 

  Linux Files

  • 

    /tmp/ld.py

File Hashes

How Beazley Security is responding

Beazley Security is conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Appendix

Sources

• 

  https://github.com/axios/axios/issues/10604

• 

  https://www.invictus-ir.com/news/the-poisoned-pipeline-axios-supply-chain-attack

• 

  https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package