Axios NPM Package Supply Chain Compromise Leads to RAT Deployment
KEY OBSERVATIONS
- Malicious Package Versions Identified: Malicious versions of the Axios npm package (axios@1.14.1 and axios@0.30.4) were observed within a customer’s environment, indicating exposure to the supply chain compromise.
- Suspicious Dependency Execution: The presence of an unauthorized dependency was identified, which executed a postinstall script during npm installation, triggering the initial stage of the infection.
- Abnormal Process Execution Chain: Multiple systems exhibited suspicious parent-child process relationships where npm or node spawned command interpreters such as cmd.exe, powershell.exe, followed by execution of network utilities like curl or wget.
- Post-exploitation activities detected by LevelBlue: LevelBlue’s Cybereason Defense Platform generated detections associated with post-install script execution, abnormal process (renamed PowerShell) spawning, and suspicious outbound network communication, indicating successful exploitation and potential remote access trojan (RAT) deployment on affected systems.
WHAT'S HAPPENING?
A supply chain compromise involving the Axios npm package has been identified within a customer’s environment. Earlier this month, news broke that threat actors successfully published malicious versions of the package to the npm repository after compromising the npm account of the company’s lead developer.
These malicious versions included a hidden dependency that executed automatically during the npm installation process via a postinstall script. This resulted in the downloading and execution of a secondary payload, ultimately deploying a RAT on affected systems.
Unlike traditional malware infections, this attack does not require user interaction beyond installing dependencies, making it particularly dangerous for developer systems and continuous integration/continuous delivery CI/CD pipelines where automated installations are common.
Proactive threat hunting has confirmed the presence of this activity across multiple machines in the environment.
Impact
The impact of this compromise is considered critical due to the nature of execution and access gained by the attacker.
Affected systems may have experienced:
- Full remote access by the threat actor
- The exposure of sensitive credentials, including API keys, SSH keys, and tokens
- The compromise of development environments and build pipelines
- Potential insertion of malicious code into software builds
- The risk of lateral movement within the network
At this stage, large-scale data exfiltration has not been conclusively confirmed; however, it cannot be ruled out. All affected systems should be treated as fully compromised.
Figure 1. Attack flow diagram related to Axios npm exploitation
Figure 2. Attack flow as observed in LevelBlue’s Cybereason EDR platform
ANALYSIS
Current Exploitation
The attack leverages a compromised trusted package to achieve initial access. By abusing npm’s lifecycle scripts, the threat actor ensures the automatic execution of malicious code during installation.
This technique is highly effective because it:
- Bypasses traditional user interaction-based defenses
- Executes within trusted development workflows
- Impacts both direct and transitive dependencies
The short exposure window suggests a targeted or rapid exploitation attempt, likely relying on automated dependency updates and CI/CD processes.
Threat Analysis
This incident highlights weaknesses in software supply chain trust models, specifically:
- Over-reliance on third-party packages without verification
- Automatic execution of install scripts without validation
- Lack of visibility into dependency-level behavior
- Insufficient monitoring of developer environments
The use of a typosquat-style or hidden dependency (plain-crypto-js) further indicates an attempt to evade detection and blend into legitimate package structures.
Known Post-Exploitation Activities
The following are what we observed as post-infection activities in affected systems:
- Execution of shell commands initiated by npm/node processes
- Downloading of secondary payloads from external infrastructure
- Potential in-memory execution of malware components
- Establishment of outbound connections to attacker-controlled domains
- Indicators of RAT deployment and possible persistence mechanisms
This behavior strongly suggests that the initial compromise quickly transitions into full system access and control.
Recommendations
Immediate containment and remediation actions are required for infected systems:
- Isolate all identified affected systems from the network
- Reimage or rebuild compromised hosts (recommended over partial cleanup)
- Rotate all potentially exposed credentials, including:
- API keys
- SSH keys
- Access tokens
- npm credentials
- Audit CI/CD pipelines and recent builds for integrity
- Review outbound network connections for suspicious activity
- Disable npm script execution where feasible (--ignore-scripts)
- Enforce dependency version pinning and integrity verification
- Enable MFA for all developer and package repository accounts
Indicators of Compromise Associated with Post-Exploitation
|
Type |
Value |
Comment |
|
Sha256 |
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 |
package/setup.js |
|
Sha256 |
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 |
6202033.ps1 |
|
IP |
142.11.206[.]73 |
C2 IP address |
|
Domain |
sfrclak[.]com |
C2 Domain |
|
URL |
http[:]//sfrclak[.]com[:]8000/6202033 |
URL used for C2 / payload server |
These indicators can be used for threat hunting purposes.
LEVELBLUE RECOMMENDATIONS
The LevelBlue Cybereason Defense Platform can detect and prevent Axios post-exploitations. LevelBlue recommends the following actions:
- Implement strict dependency management policies
- Use lockfiles and verified package sources only
- Disable npm lifecycle scripts where not required
- Monitor developer endpoints with the same rigor as production systems
- Integrate supply chain security tools
- Conduct regular threat hunting focused on developer activity
- Establish alerting for unusual package updates or dependency changes
- To hunt proactively, use the Investigation screen in the LevelBlue Cybereason Defense Platform and the queries in the Hunting Queries section to search for assets that have potentially been exploited. Based on the search results, take further remediation actions, such as isolating the infected machines and deleting the payload file.
- Add the aforementioned IoCs to the custom reputation with “Block & Prevent”
HUNTING QUERIES
To detect if the Axios npm compromise has been exploited, run the following hunting query in the LevelBlue Cybereason Defense Platform.
Hunting for Axios Compromise
We recommend running queries to look for Suspicious script execution:
1. Process Element -> add the filters “Process name is cscript.exe OR mshta.exe OR cmd.exe OR wscript.exe” and “Command line contains ’packages.npm’ OR ‘http:’ OR ‘https:’ and “Command line contains ‘AppData\Local\Temp\’
Query with Process element
We provided the following hunting query to obtain the same result:
https://[yourenvironment]/#/s/search?queryString=0<-Process"elementDisplayName:@cmd.exe%7Ccscript.exe%7Cmshta.exe%7Cwscript.exe,commandLine:@packages.npm%7Chttp:~%7Chttps:~,commandLine:@AppData%5CLocal%5CTemp%5C"
2. Process Element ->add the filters “Command line contains ‘6202033.ps1’ OR ’6202033.vbs’
Query with Process element
We provided the following hunting query to obtain the same result:
https://[yourenvironment]/#/s/search?queryString=0<-Process"commandLine:@6202033.ps1%7C6202033.vbs"