Overview
On March 31, NSFOCUS CERT detected that the npm repository of the HTTP client library Axios was poisoned by the supply chain. The attacker bypassed the normal GitHub Actions CI/CD pipeline of the project, changed the account email address of the axios maintainer to an anonymous ProtonMail address, and manually released a malicious version with a Trojan backdoor through the npm CLI. When the user installs it, a persistent remote control will be established on the host. The impact is wide-ranging, and relevant users are requested to take measures for investigation and protection as soon as possible.
Axios is an open source JavaScript HTTP client based on Promise, widely used in browsers and Node.js environments.
Reference link: https://github.com/axios/axios/issues/10604
Scope of Impact
Affected versions
- axios = 1.14.1
- axios = 0.30.4
Note: Windows, macOS, and Linux systems are all affected, with more than 300 million downloads per week.
Unaffected versions
- axios <= 1.14.0
- axios <= 0.30.3
Event Analysis
The attackers stole and took over the npm and GitHub accounts of Jason Saayman, the main maintainer of the Axios project, and changed his email address to an anonymous ProtonMail address: Ifstap@proton.me, the attacker first pre-arranges a clean plain-crypto-js@4.2.0 through a separate one-time account nrwise@proton.me to establish an npm release history and circumvent security tools’ detection alarms for new packages; After 18 hours, the malicious package plain-crypto-js@4.2.1 was updated on npm, bypassing the normal GitHub Actions process to release the malicious versions axios@1.14. and axios@0.30.4, and adding plain-crypto-js@4.2.1 as a runtime dependency; Plain-crypto-js will execute the setup.js malicious script (RAT dropper) during installation, which will detect the current system and distribute different remote control payloads according to the three platforms of macOS, Windows, and Linux.
The attacker implanted self-destruct logic in setup.js. After the Trojan backdoor is executed, it will automatically delete its own script files, delete package.json with malicious hooks, and replace them with clean disguise files prepared in advance.
#Script self-deletes
fs.unlink(__filename, (x=>{}));
#Overwrite the original package.json with a clean package.md and rename
fs.rename(“package.md”, “package.json”, (x=>{}));
Event timeline:
- 3/30 05:57:32 UTC, the attacker created plain-crypto-js@4.2.0 (clean camouflage package)
- 3/30 23:59:12 UTC, the attacker released plain-crypto-js@4.2.1 malicious payload 3/31 00:21:58 UTC, the attacker released axios@1.14.1 malicious version through npm CLI
- 3/31 01:00:57 UTC, The attacker released the malicious version of axios@0.30.4 through npm CLI 3/31 02:30 UTC, and deleted the alarm issue
- 3/31 03:40:46 UTC with administrator privileges. npm removed the malicious version and revoked all tokens
- 3/31 NSFOCUS CERT issued an early warning notice
Risk Investigation
Relevant users can conduct troubleshooting according to the following steps:
1. Use the following command to check whether there is a malicious version of Axios in the project
#Check the axios version in project dependencies
npm list axios 2>/dev/null | grep -E “1\.14\.1|0\.30\.4”
#Check the axios version locked by the lock file
grep -A1 ‘”axios”‘ package-lock.json | grep -E “1\.14\.1|0\.30\.4”
2. Check the CI/CD pipeline log to see if there is any npm install/npm update operation for pulling or installing a new version of Axios
3. Check whether there is a malicious dependency package plain-crypto-js in node_modules
| ls node_modules/plain-crypto-js 2>/dev/null && echo “POTENTIALLY AFFECTED” |
Note: If package.json is a clean stub, it means that the backdoor Trojan has been run.
Users can use the command of the corresponding system to check whether there is a backdoor Trojan on the affected host:
# macOS
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null && echo “COMPROMISED”
# Linux
ls -la /tmp/ld.py 2>/dev/null && echo “COMPROMISED”
# Windows
dir “%PROGRAMDATA%\wt.exe” 2>nul && echo COMPROMISED
Summary and Recommendations
This incident has once again sounded the alarm for supply chain security in the front-end ecosystem and open source community. Enterprises must establish a normalized open source component security audit mechanism and build a complete supply chain security governance system to prevent such threats.
It is recommended that affected users take the following measures:
1. Immediately downgrade axios to a safe version and force all indirect dependencies of the project to use:
#2 branches corresponding to the secure version
npm install axios@1.14.0
npm install axios@0.30.3
#Add overrides and resolutions in package.json
{
“dependencies”: { “axios”: “1.14.0” },
“overrides”: { “axios”: “1.14.0” },
“resolutions”: { “axios”: “1.14.0” }
}
2. Remove plain-crypto-js from node_modules, clear the npm cache and reinstall dependencies:
rm -rf node_modules/plain-crypto-js
npm cache clean –force
npm install –ignore-scripts
3. Revoke and rotate all system npm tokens, SSH keys, cloud account keys, CI/CD keys, database passwords and other credentials;
4. Block and investigate malicious IoCs;
5. Implement the principle of least privilege, limit the access scope of CI/CD tools, and rotate credentials regularly;
6. Establish a normalized open source component audit mechanism and increase multiple approval processes before release.
IOCs
Malicious files
File name: axios@1.14.1
SHA1: 2553649f2322049666871cea80a5d0d6adc700ca
File name: axios@0.30.4
SHA1: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
File name: plain-crypto-js@4.2.1
SHA1: 07d889e2dadce6f3910dcbc253317d28ca61c766
Malicious domain name/IP
- sfrclak.com
- callnrwise.com
- 142.11.206.73
Malicious URL
http://sfrclak.com:8000/6202033
Malicious mailbox
nrwise@proton.me
ifstap@proton.me
Others
User-Agent:mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.
Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.
Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.
