⚠️ Region Alert: UAE/Middle East
Unit 42 researchers have identified a significant supply chain attack targeting the popular Axios JavaScript library. The incident occurred after an npm account for an Axios maintainer was hijacked, leading to the release of compromised versions (v1.14.1 and v0.30.4). These versions contain a malicious dependency called plain-crypto-js, which serves as a cross-platform remote access Trojan (RAT) capable of targeting Windows, macOS, and Linux systems for reconnaissance and persistence.
The attack employs an obfuscated Node.js dropper that executes platform-specific payloads using a unified C2 protocol. Initial analysis suggests the malware overlaps with operations attributed to North Korean (DPRK) threat actors, specifically the WAVESHAPER backdoor. The infection process is designed for rapid execution and includes aggressive anti-forensic measures, such as deleting the dropper script and replacing the malicious package.json with a clean decoy file to evade detection.
Organizations are urged to audit their projects for the affected versions and the plain-crypto-js package immediately. Mitigation strategies include downgrading to safe versions (1.14.0 or 0.30.3), rotating all exposed credentials and CI/CD secrets, and disabling npm lifecycle scripts during automated builds. Security teams can utilize provided XQL queries to search for specific indicators of compromise, such as connections to the C2 domain sfrclak[.]com.
Top comments (0)