HUGE supply chain attack
Skills:
Network Security90%
Key Takeaways
Discusses a supply chain attack on the Axios npm package
Full Transcript
Now, normally I wouldn't record a video like this, but considering the size, scale, and severity of this incident, I thought being faster, being more rapid in a rapid response response would probably be a good thing because there has been a supply chain compromise of the Axios library. Basically ubiquitous like just about every JavaScript running application or solution uses this package and this library in the npm package and repository. And the thing is, we have seen and confirmed hosts have been compromised. This is literally a rough draft of the blog post and article that I'm thinking hoping presumably Huntress, my day job, will put out. And I did want to note, look, uh, we I I crapped this together with a little bit of AI. Wanted to be totally upfront, transparent with that, gave it enough context from what I dug into during our live stream to investigate this breaking in the moment when the news was first hitting the streets. But we've observed active exploitation of a supply chain compromised targeting the Axios npm package. It has over 100 million weekly downloads. Now the attack delivers a cross-platform like Windows supported, Linux supported and Mac supported remote access Trojan or command and control capability to access the downstream victims. And they do this with a malicious dependency injected into the backdoor Axios release versions 1.14.1 or 030.4 4 are the malicious packages. Ultimately, these funnel down to that phantom dependency of plain-crypto-JS version 4.2.1. That plain-crypto-JS, presumably trying to typo squad off of legitimate crypto-JS did not exist previously, and it is never really genuinely used by Axio's code. It literally was just to execute a, you guessed it, postinstall script that runs the malware. For folks that aren't familiar with what Axios is, it is a promisedbased HTTP client. But I was alluding to the fact that it is just about everywhere. It's a transitive dependency for countless packages and of course CI/CD, continuous integration or whatever that I letter is supposed to be. Continuous deployment, continuous delivery pipelines, developer workstations, and production applications worldwide. any environment that ran npm install or actually updated and resolved to the malicious Axios version during the time that it was alive and published on the npm registry and repository about 3 hours of exposure those hosts are compromised while the packages have now been removed from npm okay we've stopped the bleeding treat for shock there are still hundreds of hosts if not thousands as I'm sure we'll see more come out of the woodwork for further post exploitation in the coming days but the damage is done. What happened was that an attacker gained access to one of the maintainers or contributors access to their npm account in the open- source Axios library. Switched up their email address, bypass normal GitHub actions control with a long lived access token and a little bit of a breadcrumb in there. But the maintainer Jason is saying even in GitHub issues, this is a wild saga. If you haven't looked through this, you absolutely should. kind of crazy, but there's a segment here as folks are discussing this nice meme. The remaining items, you can see Jason does chime in and he says, "Oh, hey, I'm sorry. It's 5:00 a.m. in my country. I'm looking into this." Everyone's like, "You got this. We bring to arms." I'm trying to get support to understand how this even happened. I have two-factor authentication, multiffactor on basically everything I interact with. So far, as this is still breaking news, I don't think we really know exactly how the account was compromised and how bad actors got into Jason's capability and access to the library, but I'm waiting for that root cause analysis. Interesting thing though, that plane-crypto package was prepared uh a bit before it fired, adding it into upstream Axios, right? little bit of a timeline here where you can see when the actual malicious package that is called out to and in part of Axios now and the delta in the minutes the seconds the moments here are kind of wild because internally right when we're protecting partners organizations and companies look we see okay that hit a minute and a half after it's published and one Mac OS host is already hosed sometime after we're catching wind for Windows infections but the fact that this trickles down and with it only being live on npm for sure an hour, two hours, three hours, whatever. It's going to have severe size and scale because how many packages, applications, runtimes, CI/CD pipelines genuinely rely on Axios and it hits in a minute and a half. Wild attack. The gimmick here is that the setup.js JS or the syntax and code that's actually fired as the post install hook has a little bit of oh cutesy reverse base 64 exor some decoding and decrypting that it might do to hide away the rest of the syntax and what it's going to actually do depending on the platform that it's in. Now in case you're curious we have the payload and I've staged that in a GitHub gist. You can see that here and if this gets published it'll be embedded within the blog post. But in case you want to see what it looks like, this is the smoking gun. That syntax ends up staging either the Windows remote access Trojan or the Linux or Mac one. And the process execution chain is a little bit interesting here because that setup.js. Once it fires, it's going to write a Visual Basic script tucked away hidden window. Actually put PowerShell.exe to what folks might consider WT.exe as the Windows terminal. Natural now modern Windows 11. if just so the process chain doesn't look as weird for an edr or sim or seam solution. We'll still catch the fact, hey, that's running out of an irregular directory and then it's doing weird cmd.exe commands to curl down and actually post data with another strange looking URL in there. That's another little clever trick to just look like natural data, but actually hitting a command and control interface. sfrclack.com on port 8000 with a little campaign ID or interesting sort of key here ends up staging the PowerShell script to do more damage and then it covers its tracks after it executes and fires the next stage payload. You can see the process picture here. The rat on Windows does end up setting persistence in the Windows registry with the usual hey kind of classic cookie cutter classic autorun startup location in HKCU or the current user. So, local privileges to add that. And then it ends up looking through your file system to uncover your documents, desktop, one drive, roaming app data, and file system drive roots. And then it ships that off to the command and control C2 and starts to loop to keep operating as the maintain access. It has some handlers. So, remotely via the command and control to drive the now victim computer that the hacker has compromised. They could kill the engine. They could inject and run more code with some .NET assemblies and maybe get in some stuff in memory or they could run even more PowerShell scripts or just explore more directories and dig into files. Again, I do have the Windows payload gist if you're interested. That is pure PowerShell. Whole payload is available on that GitHub gist and you can see everything that they did, but if you wanted to scroll through it together with me, uh you can catch that as part of the live stream bot or hang out when we're live streaming together. It's a lot of fun and I don't want to fall down the rabbit hole on all of the technical details even in the Mac OS or Linux direction. The Linux one uses a Pythonbased rat, but it's basically going to end up doing the almost exact same thing the Windows does syntactically, right? Just in the Python flavor rather than PowerShell, but it does not actually add persistence. There was no like, oh, hooking into a bash RC or setting up some cron job or anything weird. It just kind of runs. So, if you were to end up stopping that process, if you could track it down, if you could find those indicators of compromise, if you could even restart the thing, but you got to keep in mind that is intentionally likely built to be inside of a CI/CD pipeline where the sensitive secrets are kind of all that they're after. They're not expecting something to be shut down or rebooted or even monitored because it's probably part of some scaffolding, part of a production application that you never turn off in the first place. But, I don't know if you caught it, but it stuck out to me. I thought it was I don't know maybe an Easter egg maybe just something silly but the campaign ID or the path they keep using the numbers 62033 H if you end up reversing that the numbers 330 and 2026 point to March 30th 2026 exactly when the supply chain fired off. I thought that was neat or at least a little bit peculiar. Now in the post bodies that are uh designed to mimic regular npm like uh package repository communication and traffic the data that you might have seen attached to the body of a post request is actually the indicator so that server side they're able to switch off and toggle okay what variant are we actually going to install and deploy. Is it the Linuxbased payload? Is it the Windowsbased payload? Is it the Mac OS one? But they make it a little bit clever because that's not the real npmjs.com. In fact, it's just some other random red herring lookalike data just to look like something. But I was falling down the rabbit hole because I was kind of stoked about, hey, our own security operations center and our analysts that were actually tracking this thing and it caught it basically even concurrent with this unfolding before the public sounding the alarm and everyone screaming and shouting on Twitter. We're actually seeing the evidence of hey us tracking it down again 89 seconds after it pops. Wanted to credit the sock analysts because truly they're the ones doing the real work. I am a mere parrot just regurgitating their incredible effort. So absolutely shine the spotlight on them. Giving them credit, kudos, and credit where credit is due. But it's hysterical to a certain extent. I I saw this fly by and I just thought it was so perfect because everyone's having the realization, wow, we've had AI, you know, consume our whole world in that, oh, everyone npm installs just about everything now. The supply chain is an absolute abyss and we're curl piping to bash all the time now. Whether it's Open Claw, whether it's WordPress, whether it's whatever. Chad says, "Look, is npm cooked? Are we cooked right now?" All that is to say it was cool to see look we're already tracking this thing the moment that it breaks and we already getting the full picture. Okay, we are seeing the actual compromises at least 100 from what we have visibility over mainly in the Mac OS ecosystem and I'm sure plenty in the a Linux world as well. But again, this has some wild implications and a bit of a blast radius here that uh I thought it was kind of worth going live at 1 in the morning, midnight, 2 am to kind of scream and shout about this because I want to make sure you are aware and how you can mitigate. First things first, if you are working with these packages, look, double check your lock files. Double check your like package.json and the running lock uh association to make sure you're not using any of the malicious packages or any rendition of that back or any malicious package here. look for them across your environment. And I did want to give the shout out and love to step security, who I think helped really first sound the alarm on this thing. So look for this across all of your hosts, but realistically also look for those indicators of compromise because that's how you know, okay, one host could still just as easily be hosed. If that hasn't been like rotated, recycled, maybe reformatted if you want to go to that extent if you're not rotating credentials and everything, assume it is compromised because someone's npm account got taken over. This wasn't a CVE. This wasn't a vulnerability. This was an exploit. It wasn't some zero day. It was, hey, we are uh falling on our own sword as to what the infrastructure of the internet and software is right now. It felt good to play a part of this though. It felt good to jump in for some of that rapid response and I hope that uh I'm still giving you some good valuable insight. The blog of course will be out and about. I did want to get this extra early rapid rapid response video so that folks can be aware of this when they wake up in the morning. And we have some of the indicators of compromise here just as well if you wanted to be able to extract those out and go do your own due diligence. But please, please, please, goodness gracious, supply chain shenanigans hitting the streets again. Everybody in the industry has jumped onto this. Socket Security shared their blog and they're monitoring the situation. Step security still sharing some incredible stuff on this front. Akaido, Aikido. I'm sorry. I get it wrong every time. You guys know we're friends, though. Joe from over at Elastic has some incredibly good insight just as well. So, I I'll include links in the video description for all of these things that I've been researching and referencing here for you. And I hope you can get yourself a little more oriented in how this Axios npm supply chain is going to unfold. The latest from Jason about 10 minutes ago as I'm recording actively trying to help spread the word. This is the individual that had their npm account taken over that let the bad actor and hacker push to npm and do the supply chain for the Axio library. It seems to me that someone used one of my recovery codes. How is this even possible is beyond me. Look, please let me know what do you think. Do you agree? Do you disagree? Am I going a little bit crazy thinking, whoa, this is whatever I don't know, blue screen of death on every computer? Is this another log 4j falling from the sky? I I do think though this could very well explode and we will see post exploitation and maintained access just coming out of the woodwork for the next day or two or week or however many day or two weeks. I don't know. Uh if anything I think this is just wow a story to tell. Axios compromised then that's every that's what I know as the go-to tool to do this in JavaScript to communicate with websites. So, this is wakeup call, slap in the face, whatever buzzword we want. And I think we're going to see a heck of a lot more supply chain compromises just like this with the old robots running
Original Description
https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
https://socket.dev/blog/axios-npm-package-compromised
https://socket.dev/npm/package/plain-crypto-js/files/4.2.1/setup.js
https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
https://gist.github.com/joe-desimone/36061dabd2bc2513705e0d083a9673e7
https://github.com/axios/axios/blob/v1.x/.github/workflows/deprecate.yml
Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter
ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: https://jh.live/openvpn
Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Network Security
View skill →Related Reads
📰
📰
📰
📰
Spotlight: Zishan Ahamed Thandar — The Cybersecurity Expert Strengthening Digital Defenses
Dev.to · Moonlight
The Expert You’d Call in a Ransomware Attack Sees Everything. One Sold It to the Gang.
Medium · Cybersecurity
Australia finds serious gaps in Big Tech’s response to child sexual abuse online
The Next Web AI
The Future of Endpoint Security: Why Visibility, Intelligence, and Automation Will Define the Next…
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI