A severe supply chain attack has compromised the widely used Axios HTTP client on the npm registry.
Attackers injected a malicious dependency into specific Axios releases, exposing millions of developers to a multi-stage remote access trojan capable of executing arbitrary commands and stealing system data.
The malicious Axios versions, 1.14.1 and 0.30.4, were published directly to the npm registry without any corresponding GitHub tags.
This anomaly indicates the threat actors bypassed normal release pipelines, likely by exploiting a compromised long-lived npm publishing token linked to a trusted maintainer.
The situation escalated when maintainers realized they could not immediately revoke access because the attacker’s account permissions exceeded their own.
The injected dependency, [email protected], was strategically published just minutes before the poisoned Axios releases, utilizing a caret range update so that any new installation would automatically pull the compromised code.
Execution Flow and Obfuscation Tactics
According to Socket Dev, the attack initiates automatically during the package installation phase via an npm postinstall lifecycle hook.
This hook executes a dropper script named setup.js. To hide from static analysis tools and signature-based detection, the attackers employed a custom two-layer obfuscation scheme.
This technique reverses Base64 encoded strings and applies a specialized XOR cipher using a hardcoded key.
Once decoded, the script identifies the host operating system and contacts the attacker’s command-and-control server to retrieve the next stage of the malware.
The malware is highly adaptable, delivering tailored payloads based on the victim’s operating system.
On macOS, it uses AppleScript to fetch a C++ Mach-O remote access trojan that mimics a legitimate Apple background daemon by saving itself to a disguised system cache directory.
This trojan can fingerprint the system, generate unique victim IDs, and use a dedicated peinject command to sign and execute additional malicious binaries.
On Windows, the malware disguises PowerShell as Windows Terminal to bypass endpoint detection tools, executing a hidden VBScript that downloads the final payload while bypassing standard execution policies.
Linux systems receive a detached Python script that runs silently in the background. All variants communicate with the server using deceptive HTTP POST requests formatted to mimic normal registry traffic.
After the payload successfully executes, the malware meticulously covers its tracks to destroy forensic evidence.
It automatically deletes the initial setup.js dropper script and the malicious package.json configuration file.
It then renames a clean markdown file to replace the deleted configuration, making the installed directory appear exactly like a harmless cryptography library with no remaining malicious code.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
