ChainCatcher reports that the attacker stole the npm access token of the lead maintainer of Axios, the most popular JavaScript HTTP client library, and used it to publish two malicious versions containing a cross-platform remote access trojan (RAT)—axios@1.14.1 and axios@0.3.4—targeting macOS, Windows, and Linux systems. The malicious packages were removed from the npm registry after approximately three hours. According to data from security firm Wiz, Axios is downloaded over 100 million times per week and is present in approximately 80% of cloud and code environments. Security firm Huntress detected the first infections just 89 seconds after the malicious packages went live and confirmed at least 135 compromised systems during the exposure window. Notably, the Axios project had already implemented modern security measures such as OIDC trusted publishing and SLSA provenance, yet the attacker fully bypassed these protections. Investigation revealed that while OIDC was configured, the project retained a traditional, long-lived NPM_TOKEN, and npm defaults to using the traditional token when both are present, allowing the attacker to publish without circumventing OIDC.
Axios Library Hit by Supply Chain Attack; Malicious Packages Affect 80% of Cloud Environments
ChaincatcherShare
On-chain news emerged as the Axios JavaScript library was compromised in a supply chain attack, with attackers publishing two malicious npm packages containing cross-platform RATs. The packages, axios@1.14.1 and axios@0.3.4, were removed after three hours, but 135 systems were already infected. Axios is used in 80% of cloud environments and receives over 100 million weekly downloads. Attackers bypassed security measures by exploiting a long-lived NPM_TOKEN. While new token listings remain a priority for developers, this incident underscores ongoing risks within open-source ecosystems.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.