DEV Community

Cover image for Axios Gets 100 Million Downloads a Week. Today, Two Came With a Trojan.
Aditya Agarwal
Aditya Agarwal

Posted on

Axios Gets 100 Million Downloads a Week. Today, Two Came With a Trojan.

#javascript #discuss #security #programming

Axios has approximately 100 million downloads a week. But today, two of those downloads came with a remote access trojan.

The Hijack

An unauthorized party gained access to the npm account of Axios's lead maintainer, jasonsaayman, and changed the registered email address.

The attacker then published two backdoored versions of Axios: 1.14.1 and 0.30.4.

The Payload

Instead of including the payload directly, the attacker packaged it within a dependency called plain-crypto-js.

This dependency contained nothing useful — only a postinstallation script that executed a silent dropper on the weaponized releases of Axios to download the RAT.

The attacker created an innocuous version of plain-crypto-js 18 hours before the attack started and published it to npm before the Axios releases were pushed. This was done to introduce the dependency to the registry.

About an hour before the Axios releases, the attacker uploaded a new version of the dependency with the payload.

The RAT

The RAT reported to its C2 every 60 seconds. It was capable of executing arbitrary commands, exfiltrating system information, and maintaining persistence on the infected machine.

Once the RAT had been run, it unlinked its setup.js, overwrote package.json with a legitimate copy, and cleaned up after itself.

Unless you caught the install in real-time, your node_modules looked completely normal.

The Window

In total, the malware was active for ~3 hours, from roughly 00:21 to 03:15 UTC this morning.

npm pulled the versions once StepSecurity flagged it. But 3 hours is an eternity when a package gets downloaded that often.

The Bypass

The bypass was extremely low effort. Axios publishes through GitHub Actions using OIDC Trusted Publisher binding.

The attacker just published manually with the stolen token. No CI, no review, no anything.

The Pattern

This is the same pattern we keep seeing. The code is fine. The CI is fine. The maintainer's account is the single point of failure.

We're building production systems on top of packages maintained by individuals who may not even have 2FA enforced. npm still doesn't require hardware keys for publishing. There's no mandatory signing. No publish-time review for high-impact packages.

Axios has been around for over a decade. It's in everything. And today it was a trojan horse for 3 hours because one account got popped.

→ If you ran npm install between midnight and 3 AM UTC today, check your lockfile for axios@1.14.1, axios@0.30.4, or plain-crypto-js
→ If any of those show up, assume full compromise
→ Rotate every credential that machine could reach

How many more of these do we need before npm enforces mandatory 2FA and publish signing for packages above a download threshold?

Top comments (0)