Axios NPM Package Poisoning: A Textbook Supply Chain Attack Drops RAT via Trusted HTTP Client + Video

Listen to this Post

Featured Image

Introduction:

A critical supply chain attack has compromised Axios, one of the most widely used HTTP client libraries in the Node.js ecosystem, with over 40 million weekly downloads. Malicious versions 1.14.1 and 0.30.4 were published using compromised maintainer credentials, injecting a post-install script that deploys a Remote Access Trojan (RAT) across Windows, macOS, and Linux environments. This incident underscores that even the most trusted open-source packages can become attack vectors, necessitating immediate behavioral monitoring and dependency pinning.

Learning Objectives:

  • Identify the Indicators of Compromise (IOCs) for the Axios supply chain attack across Windows, macOS, and Linux operating systems.
  • Understand the attack vector, including the compromised maintainer account and the post-installation execution flow.
  • Apply mitigation strategies such as version pinning, secret rotation, and runtime detection techniques to prevent similar attacks.

You Should Know:

  1. The Anatomy of the Axios Supply Chain Attack
    The attack was executed by compromising the credentials of an Axios package maintainer. The attacker manually published two trojanized versions—1.14.1 and 0.30.4—outside the normal continuous integration pipeline. Unlike typical malicious packages that rely on typosquatting, this attack exploited the existing trust in the legitimate package name. The malicious code was embedded in a post-install script, meaning the RAT was deployed immediately upon installation or update via npm install. This attack vector is particularly dangerous because Axios is a foundational dependency for countless applications, including many used by threat actors in their own phishing infrastructure, creating a scenario where malicious infrastructure could also be compromised by the very tool it relies on.

2. Comprehensive Indicators of Compromise (IOCs)

Based on the disclosed information, security teams must immediately hunt for the following artifacts. These IOCs are critical for detection across all major platforms.

Network IOCs (All OS):

– `sfrclak[.]com` – This is the command-and-control (C2) domain. Any outbound traffic to this domain should be treated as a confirmed compromise.
– `packages[.]npm[.]org/product0`
– `packages[.]npm[.]org/product1`
– `packages[.]npm[.]org/product2` – These URLs are used as part of the malicious package’s communication or data exfiltration.

Critical Windows IOCs:

  • On Disk: `C:\ProgramData\wt.exe` – This is the dropped RAT executable.
  • On Disk: `C:\ProgramData\system.bat` – This batch file likely handles persistence and execution.
  • Registry: User Run Key: `MicrosoftUpdate` – This ensures the malware executes on user logon.

To detect these IOCs across an enterprise, use the following PowerShell commands to scan for artifacts:

 Scan for the malicious executable and batch file
Get-ChildItem -Path "C:\ProgramData\" -Filter "wt.exe" -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path "C:\ProgramData\" -Filter "system.bat" -Recurse -ErrorAction SilentlyContinue

Query the Registry for the persistence key
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MicrosoftUpdate" -ErrorAction SilentlyContinue

Check DNS cache for the malicious domain
Get-DnsClientCache | Where-Object { $<em>.Entry -like "sfrclak" -or $</em>.Entry -like "packages.npm.org" }

Critical macOS IOCs:

  • On Disk: `/Library/Caches/com.apple.act.mond` – This file path is likely the payload or a component of the RAT.

Use the following terminal commands to detect these IOCs on macOS:

 Check for the malicious file
sudo ls -la /Library/Caches/ | grep "com.apple.act.mond"

Search for any references in system logs (if the file has been executed)
grep -r "sfrclak" /var/log/ 2>/dev/null
grep -r "packages.npm.org" /var/log/ 2>/dev/null

Critical Linux IOCs:

  • On Disk: `/tmp/ld.py` – A Python script dropped in the temporary directory, likely the RAT or downloader.
  • Network: packages[.]npm[.]org/product2

For Linux systems, use these commands to hunt for the indicator:

 Check for the Python script in /tmp
ls -la /tmp/ | grep "ld.py"

Search for the malicious domain in network connection logs
sudo grep -r "sfrclak" /var/log/ 2>/dev/null
sudo grep -r "packages.npm.org" /var/log/ 2>/dev/null

Check for any running processes related to the Python script
ps aux | grep "ld.py"

3. Immediate Mitigation and Remediation

If your environment uses Node.js and you have installed Axios versions 1.14.1 or 0.30.4, consider your systems compromised. Follow these steps immediately:

Step 1: Pin to Safe Versions

In your `package.json` files, immediately pin Axios to a safe version. The last known good versions are `1.14.0` and 0.30.3. Update your `package.json` to reflect this:

{
"dependencies": {
"axios": "1.14.0"
}
}

Then, run `npm install` or `npm update` to ensure the safe version is pulled. After updating, remove the `package-lock.json` and `node_modules` directory to ensure no remnants of the compromised version remain.

Step 2: Rotate All Secrets

The RAT may have captured environment variables, credentials, and API keys. Rotate all secrets, tokens, and passwords that were present on the compromised system. This includes:
– Cloud provider API keys (AWS, Azure, GCP)
– Database credentials
– Third-party service tokens
– SSH keys

Step 3: Isolate and Reimage Compromised Hosts

If any IOCs are found, immediately isolate the system from the network. For developer workstations, CI/CD build servers, or production servers, a full reimage is the safest course of action. Simply removing the malicious package may not remove all persistence mechanisms or backdoors.

4. Advanced Detection: Behavioral Monitoring and Pipeline Hardening

The detection lesson from this incident is that relying solely on package names or static analysis is insufficient. As noted in the post’s comments, trusted package names are no longer a reliable signal of safe execution. Security teams must implement behavioral monitoring at the runtime layer and harden their CI/CD pipelines.

CI/CD Hardening:

  • Use Dependency Pinning: Lock all dependencies to specific, verified versions. Use `npm shrinkwrap` or `package-lock.json` to enforce these versions.
  • Implement Supply Chain Security Tools: Tools like `npm audit` and commercial software composition analysis (SCA) solutions can detect known vulnerabilities. However, they may not catch zero-day attacks like this one. Consider using tools that analyze package behavior before installation.
  • Isolate Build Environments: Run builds in ephemeral, isolated containers that do not have access to production secrets. This limits the blast radius if a build environment is compromised.

Runtime Behavioral Monitoring:

  • Endpoint Detection and Response (EDR): Deploy EDR agents to monitor for suspicious process execution, such as `node.exe` spawning a `python.exe` or `cmd.exe` process, or attempting to make connections to new or suspicious domains like sfrclak[.]com.
  • Network Monitoring: Implement network detection rules to alert on traffic to the IOC domains. This is a high-fidelity indicator that should trigger an immediate incident response.
  • File Integrity Monitoring (FIM): Monitor critical directories like `C:\ProgramData` and `/tmp/` for new executable or script creation, especially files named wt.exe, system.bat, or ld.py.

5. Linux and Windows Hardening Commands

To prevent similar attacks, implement system-level hardening on your development and production servers.

On Linux:

Disable or restrict the execution of scripts from temporary directories. You can use `noexec` mount options for /tmp:

sudo mount -o remount,noexec,nosuid /tmp

To make this permanent, add to `/etc/fstab`:

tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0

On Windows:

Implement AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of executables from `%ProgramData%` and `%Temp%` unless they are signed by a trusted publisher. This can block the `wt.exe` payload from executing even if dropped.

What Undercode Say:

  • Trust is Not a Security Control: The Axios incident highlights that relying on the reputation of a widely-used package is a fundamental security flaw. Organizations must assume any third-party dependency could be compromised at any time.
  • Post-Install Scripts are High Risk: The use of post-install scripts in npm packages is a massive attack surface. Security policies should strictly limit or audit these scripts, and consider using tools like `npm ci` in production to bypass them.
  • Supply Chain Visibility is Paramount: Without runtime monitoring and a deep understanding of your software bill of materials (SBOM), attacks like this will remain invisible until it is too late. The ability to quickly inventory which systems are running a specific vulnerable version is critical.

Prediction:

Supply chain attacks will continue to escalate, moving from typosquatting to the direct compromise of maintainer accounts for widely-used libraries. The industry will see a surge in demand for runtime application self-protection (RASP) and software supply chain security tools that can analyze package behavior in real-time. Furthermore, we can expect a shift toward more aggressive auditing of package maintainers and the implementation of mandatory two-factor authentication (2FA) for all critical open-source library publishers, as the lack of such controls is what made this attack possible.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jaiminton Axios – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky