A compromised maintainer account for the ubiquitous Axios HTTP client led to the release of malicious npm packages, potentially impacting millions of web applications. According to a Wiz Research report released Tuesday, attackers published versions 1.14.1 and 0.30.4 to the npm registry, embedding a dependency on a trojanized package called plain-crypto-js.
The report characterizes the impact as severe, noting that axios is “present in 80% of cloud and code environments and downloaded 100 million times per week.” Wiz researchers Benjamin Read and Amitai Cohen state that while the malicious versions were removed within hours, the researchers “observed execution in 3% of affected environments.” This incident marks a significant escalation from “typosquatting” to a direct “account takeover” (ATO) of a trusted developer.
The malware functioned as a cross-platform remote access trojan (RAT). Wiz technical analysis found that the second-stage payloads “beacon to the C2 server every 60 seconds, transmitting system inventory and awaiting commands.” On macOS, the payload was a compiled Mach-O binary capable of “self-signing injected payloads via codesign,” while Windows targets faced a PowerShell script establishing persistence via a registry Run key.
Security teams are advised to immediately audit build pipelines for the affected version build numbers. The Wiz report also suggests organizations to “rotate exposed credentials” if execution is confirmed, as the malware targets environment variables and API keys during installation.
Image by Pete Linforth from Pixabay
