Axios npm packages compromised in supply chain breach, credential rotation recommended
Cybersecurity firms identified axios@1.14.1 and 0.30.4 as malicious versions, recommending immediate credential updates and removal of infected packages.
A pair of compromised Axios npm packages have triggered urgent alerts for software developers to update their credentials and consider affected environments as fully breached following a supply chain incident that contaminated the widely-used JavaScript HTTP client library.
Cybersecurity firm Socket initially identified the breach, reporting that axios@1.14.1 and axios@0.30.4 had been altered to incorporate plain-crypto-js@4.2.1, a harmful dependency that executed automatically upon installation before npm took down the malicious releases from their registry.
Based on analysis from security firm OX Security, the injected malicious code has the capability to provide threat actors with remote system access to compromised machines, enabling the exfiltration of confidential information including login credentials, API keys and cryptocurrency wallet data.
The breach demonstrates how a solitary compromised open-source library can create cascading effects across countless applications dependent on it, putting at risk not only software developers but also platforms and end users throughout the entire ecosystem.
Security companies urge key rotation, system audits
OX Security issued warnings to developers who downloaded axios@1.14.1 or axios@0.30.4 to consider their environments as completely breached and take immediate action to rotate all credentials, including API keys and session tokens.
Socket reported that the tainted Axios packages had been altered to incorporate a dependency on plain-crypto-js@4.2.1, a package that was published just before the attack and was subsequently confirmed as malicious.
According to the security company, the malicious dependency was designed to execute automatically upon installation via a post-install script, enabling threat actors to run arbitrary code on compromised systems without requiring any further user actions.
Socket recommended that developers conduct thorough reviews of their code repositories and dependency configuration files to identify the compromised Axios versions and the related plain-crypto-js@4.2.1 package, and to delete or downgrade any infected versions without delay.
Earlier crypto incidents highlight supply chain risks
Previous cryptocurrency-related incidents have demonstrated how supply chain vulnerabilities can progress from compromised developer credentials to direct user wallet fund theft.
On Jan. 3, onchain investigator ZachXBT reported that "hundreds" of wallets across Ethereum Virtual Machine-compatible networks were drained in a broad attack that siphoned small amounts from each victim.
Cybersecurity researcher Vladimir S. said the incident was potentially linked to a December breach affecting Trust Wallet, which resulted in roughly $7 million in losses across over 2,500 wallets.
Trust Wallet later said the breach may have originated from a supply chain compromise involving npm packages used in its development workflow.