Critical Supply Chain Attack: Axios npm Package Compromised to Deliver Cross-Platform RAT

-

A major supply chain attack has impacted the widely used JavaScript library Axios, after attackers managed to publish malicious versions of the package to npm using compromised maintainer credentials.

The incident affects versions 1.14.1 and 0.30.4, which were found to include a hidden malicious dependency designed to deliver malware across multiple operating systems.

How the Attack Was Executed

The attackers gained access to the npm account of a core Axios maintainer, allowing them to push tampered versions of the package without raising immediate suspicion.

These malicious releases introduced a fake dependency named “plain-crypto-js”, which served as the initial infection vector.

Because the packages were published through legitimate channels, they bypassed standard CI/CD security checks, making the attack particularly dangerous.

Malware Delivery via Post-Install Script

The injected dependency was not just harmless code, it contained a post-install script that executed automatically when the package was installed.

This script acted as a dropper for a cross-platform Remote Access Trojan (RAT), targeting:

  • Windows
  • macOS
  • Linux

Once executed, the malware could establish persistent access and enable attackers to control infected systems remotely.

Why This Is Highly Dangerous

This attack highlights a critical weakness in the open-source ecosystem: trust in widely used dependencies.

Axios is one of the most popular HTTP clients in the JavaScript ecosystem, used in countless applications. By compromising it, attackers gain indirect access to a massive number of downstream projects.

This type of attack is especially effective because:

  • Developers often trust and auto-update dependencies
  • Malicious code is hidden within legitimate packages
  • Infection happens during normal development workflows

Scope and Impact

The attack has the potential to affect thousands of applications and developer environments that installed the compromised versions.

Since the payload is executed during installation, even development machines, not just production systems can be compromised.

This creates a high-risk scenario for:

  • Credential theft
  • Source code exposure
  • Lateral movement within internal networks

Mitigation and Recommended Actions

Developers and organizations should take immediate action:

  • Avoid using affected Axios versions (1.14.1 and 0.30.4)
  • Upgrade to a clean and verified version immediately
  • Audit dependencies and lockfile changes for anomalies
  • Monitor systems for unusual outbound connections or processes
  • Implement stricter controls for dependency management

It is also recommended to use tools that verify package integrity and detect suspicious behavior in dependencies.

Why This Matters

This incident reinforces a growing trend: software supply chain attacks are becoming one of the most effective attack vectors.

Instead of targeting organizations directly, attackers compromise trusted tools and libraries, effectively turning them into distribution channels for malware.

As reliance on open-source ecosystems continues to grow, securing dependencies is no longer optional, it is a critical part of modern cybersecurity strategy.

Resources

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more