the WORST hack of 2026

NetworkChuck · Beginner ·🔐 Cybersecurity ·3mo ago

Key Takeaways

Analyzes the Axios npm hack and its implications

Full Transcript

This just became the most dangerous command that anyone can run. npm install anything. Fill in the blank n open claw doesn't matter. We're still uncovering just how bad the fallout on this is. Anyone could be infected. You could be infected. And this just happened. Axios, the most popular HTTP library, over 100 million downloads a week, was hijacked. A hacker took over the lead maintainer's account, injected malicious code without actually injecting malicious code, and it deploys a remote access Trojan in under 1.1 seconds, and the malware erases itself. No trace left behind. This just might be the most sophisticated and dangerous supply chain attack in history. Get your copy ready. Let's dig into how this happened today, like just a few hours ago. So, how exactly did this happen? Here's what we know so far. I'm going to walk you through the entire attack from how they got in to how the malware erased itself and how it was discovered because, you know, we're kind of talking about this right now. Now, first, you probably have Axios installed, the thing that got hacked. I'll show you how to check to see if you're on the bad version here in a moment. It's an HTTP library and it's essentially how code talks to the internet, but you'll rarely install it directly. Like, I've never installed Axios, but I do have it installed. How? NPM install. npm is the package manager for JavaScript. Essentially, the app store for code. Devs use it a ton, and so do you. If you've installed something like nan or openclaw, but you're not just installing openclaw when you do that. You're installing a bunch of dependencies or other code written by other people that the app you're installing depends on to work. You're trusting OpenClaw, but OpenClaw is trusting Axios. This is how most software works. And as it stands, the average MPM project trusts 200 to 2100 strangers with code execution. And I want to hit home the strangest part because this is where we got in trouble with Axios. Axio, something that 174,000 projects depend on is coded by a bunch of random people. I mean, here's the change log right here. Looking at the commits, random people. Pay attention to this guy. And these are unpaid people. This is open source. And one of those people got compromised. This guy, I feel so bad for this guy today. Jason Semen, probably not his real name. Maybe it is. He's a lead maintainer for Axios. and the attacker got his access token, a long lived MPM classic access token that gave the attacker the keys to the kingdom. Now, we don't know how this happened just yet. We just know that it did. And this is when things get bad. He changed his account email to this email address, if stoppro.mme. And the attacker was really clever because he never actually added any malicious code to Axios. Instead, he added one line to the package.json file. Here it is. Clean. Don't blink. This is what he changed. Plain crypto.js. Notice dependencies. They keep getting us in trouble. Now, this is a simple dependency. Nothing kind of crazy about it. No one would really notice this. In fact, an average code reviewer would just go, "Oh, that's a simple crypto thing." And the sucker was never imported to any of Axios's 86 source files. It exists only to install its postinstall script. But the attacker was smart. They actually staged a clean version of this file 18 hours before the malicious one. and they were able to bypass the typical CI/CD pipelines by using npm CLI, essentially skipping all the guardrails that would normally catch something like this. Now, socket.dev was the first person or the first company to find this. And they have a really fun diagram I want to show you. Oh, and also they changed two release branches, the 1.x and 0.x, specifically the 1.14.1 and the 030.4. And they were poisoned within 39 minutes of each other. So any project using a carrot range of these two releases would pull the compromised version on the next npm install, which often happens automatically with CI/CD pipelines or when you're just installing Open Clock cuz some YouTuber told you to do it during that time frame. I'm sorry. So when you do mpm install, this post install script runs automatically by itself. You don't have to do anything. And it triggers what's called a dropper. This dropper drops in setup.js. Now it looks harmless. Looks like math, but here we have two layers of obfiscation which hides all the dangerous stuff from static scanners. It's using XR and B 64 and this weird order 7077 phrase. Does anyone know what that means? So now that setup.js has deoffiscated all the dangerous stuff or revealed it, it can use it. It will then detect the operating system that it's currently running on, which operating system you have. It will then contact the C2 server, the command and control server which the attacker operates and downloads the specific RAT or remote access Trojan software onto that computer. And this is what it would look like on Mac, Windows, and Linux. This happens 1.1 seconds after mpm install. And then it cleans up. It deletes setup.js, deletes the malicious package.json, and renames the pre-staged package.md to package.json, which is a clean version. At this point, the attacker has access to your system. They can access your stuff in 1.1 seconds. And you didn't even know. And you weren't doing anything weird or wrong. You were just installing or using software from people that you trust. It's not your fault. It's a supply chain attack. It's kind of like this. If someone wanted to poison me, they could just put poison in this cup of coffee. But that'd be hard cuz I'm always watching my coffee. But they could instead go to the coffee roaster and poison the beans I buy. Actually, I need some more coffee right now. Or maybe they go higher up the chain. Maybe they poison the powder on these coffee bags, the same bags that are used by all the suppliers. That would expand their reach, poisoning a lot more people. I know this analogy is kind of dark. Or they can go bigger. What if they poisoned the water supply? Going after the water I use to brew my coffee. And now they've expanded their use beyond coffee drinkers. It's everyone who uses the water and that's kind of the scope we're dealing with right now with the Axio supply chain attack. So let's find out if you drink the water. Because here's the thing. You might have Axios installed, but you may not even know. I know I have it installed. I think I'm safe. Let's check together right now because again, this stuff just happened. I'm kind of discovering it with you. All right. Thank you, Pikachu. You can leave now. Okay, bye. >> Okay, let's check. Let's open up your terminal first. Type in this mpm list-gios. Check your versions. If you see 1.14.1 or 0.30.4, you may want to do a deeper search across your entire system. We can use this little multi multi-line command here. And I'll have all these commands below for all the systems. And it's finding things I've custom built myself. I didn't even know had Axios in them. It's everywhere, man. Now, let's check if the rat actually made it onto your system. I'm going to use this command to see if it's on my Mac. Not there. I'll have commands for Windows and Linux below. And you can also check if it's going to reach out to the command and control server. This is the IP that was found. It was taken down or it's not up anymore. If none of that showed anything, you're probably good for now. Just keep an eye out. But if you found anything, stop right now. Don't just delete files. Treat your machine as a compromised machine. Rotate your API keys, every credential, every token. I'll have a full remediation checklist below. Keep an eye out. Keep your ear to the ground. And it seems like this is happening more and more often now. Um, h AI is amazing and it's been helping us build stuff, but it's also helping the hackers do things. This is happening way more often than it should. So, pay attention. Be secure. Um, also go watch John Hammond's live stream where he actually woke up and went through all this and went through all the code. It was very fun to watch. I'm sure he'll be dropping a video on this soon as well. And thank you to all you warriors out there, all you amazing people who are remediating all this stuff. This is a massive thing, a massive supply chain attack. So, get that coffee brewing. If you're affected by this, I'd love to hear in the comments below how it's going. How how bad is it? Maybe offer some help or advice for people who may be going through this. That's all I got. I'll catch you guys next time. Hey, you made it to the end of the video. And at the end of my videos, I like to pray for you, my audience. I know it's kind of weird. Go with it. Life is weird. One, two, three. Pray. God, I thank you for the person on the other side of this camera, on the other side of this screen. I ask in your name that you bless them and their lives right now that um if they are affected by this hack that you would give them the passion and the strength and the ability and the diligence and the energy to just tackle this with skill that you would bless their their own personal computing environment, their company's environment, and just I ask that you would make them a rock star in this moment. uh equip them with everything they need. Um if they're not affected, if they're just watching this to learn this, I pray that you would turn them into an amazing cyber security person that you would teach them skills and give them the ability to learn these skills and absorb them to learn about supply chain attacks to learn how to defend against them. Just bless their lives. God, I pray for my audience right now that you would just give them so much favor in their lives and their families. I pray for success over their career and if there's any anxiety over anything in tech that's happening because everything's moving very fast. Remove that anxiety. Just let it melt off of them and let them take one day at a time, learn that next thing and just stay relentlessly optimistic. I ask this in your name, Jesus. Amen. All right, that's all I got. Actually, I'm going to have um going to have Pikachu try to explain supply chain attacks to you real quick. She begged me to let her do this. Hi, I'm Mad Keith and today I'll be I'll be supplying supply chain attacks. The coffee >> the the analogy I gave. >> Oh, okay. So, let's do this. The coffee explanation. So let's say if this really bad guy wants to poison you and you have your cup of coffee, he puts this nice cup of warm hot coffee and he gets poison and he puts in the coffee and you drink it. Okay. But and then the next explanation is if you have a coffee bag with beans in it, coffee beans, and the guy with the poison puts it with the coffee coffee beans. Now you have poison coffee beans. But the really bad one is if the guy where like like there's all these coffee bean bags and they're all together and the guy puts poison in one of the coffee bean bags. All of the coffee bean bags then all of the other coffee bean bags get exposed expo exposed. So that's my that's the explanation. So basically I think what's it called again? >> Supply chain attack. Supply chain attack is where there's a source and it goes in your computer and it like I think it's like a virus, right? >> Yeah, >> it's like a virus and pretend the poison in my analogy is a virus and the coffee in the coffee bean and the coffee bean bags are your computers. So yeah, that's it.

Original Description

Axios, the most popular HTTP library with over 100 million weekly downloads, was just hijacked in one of the most sophisticated supply chain attacks in history. A hacker took over the lead maintainer's npm account, injected a phantom dependency that deploys a cross-platform remote access trojan in 1.1 seconds, and the malware erases itself leaving no trace. I break down exactly how it happened, explain what a supply chain attack is, and show you how to check if YOUR system is affected. npm supply chain attack, axios hacked, axios npm compromised, supply chain attack explained, npm install malware, remote access trojan, axios 1.14.1, plain-crypto-js, npm security, javascript security, open source security, postinstall script attack, supply chain hack 2026 TIMESTAMPS: 0:00 - npm install just became DANGEROUS 0:41 - How the attack happened 0:52 - What is Axios? (and why you probably have it) 1:39 - The account takeover 2:20 - The ONE line of code that did it all 3:06 - How it was discovered 3:32 - The postinstall dropper 4:08 - The RAT payload (Mac, Windows, Linux) 4:28 - The self-destruct (no evidence left) 4:40 - What IS a supply chain attack? 4:55 - The coffee analogy 5:51 - Are YOU affected? Let's check together 6:34 - Checking for the RAT on your system 6:51 - What to do if you're compromised 7:50 - Prayer 9:19 - BONUS: Pikachu explains supply chain attacks ALL COMMANDS, DETECTION SCRIPTS, IOCs, AND REMEDIATION: https://github.com/theNetworkChuck/axios-attack-guide Quick check: npm list axios npm list -g axios BAD VERSIONS: 1.14.1 and 0.30.4 SAFE VERSIONS: 1.14.0 and 0.30.3 One command that would have BLOCKED this attack: npm config set min-release-age 3 RESOURCES: Socket.dev (first to detect): https://socket.dev/blog/axios-npm-package-compromised StepSecurity deep dive: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan GitHub Issue: https://github.com/axios/axios/issues/10604 Huntress Blog: https://www.h
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from NetworkChuck · NetworkChuck · 0 of 60

← Previous Next →
1 Network Chuck
Network Chuck
NetworkChuck
2 Should I Use a Brain Dump on my CCNA/CCNP/MCSA Exam?
Should I Use a Brain Dump on my CCNA/CCNP/MCSA Exam?
NetworkChuck
3 7 CCNA CCNP Study Tips for the New Year - 2017!!
7 CCNA CCNP Study Tips for the New Year - 2017!!
NetworkChuck
4 CUCM Calling Search Spaces and Partitions: Explained with Star Wars
CUCM Calling Search Spaces and Partitions: Explained with Star Wars
NetworkChuck
5 CCNA or COLLEGE? - Become a Network Engineer
CCNA or COLLEGE? - Become a Network Engineer
NetworkChuck
6 How to Stop Procrastinating and Study for Your CCNA CCNP
How to Stop Procrastinating and Study for Your CCNA CCNP
NetworkChuck
7 Am I Smart Enough to Be a Network Engineer? - CCNA | CCNP Study
Am I Smart Enough to Be a Network Engineer? - CCNA | CCNP Study
NetworkChuck
8 CCNA or Python? | Should I Become a Network Engineer or a Programmer?
CCNA or Python? | Should I Become a Network Engineer or a Programmer?
NetworkChuck
9 CompTIA or Cisco? - Should I get the CompTIA A+/Network+ OR the Cisco CCNA/CCENT - Microsoft MCSA?
CompTIA or Cisco? - Should I get the CompTIA A+/Network+ OR the Cisco CCNA/CCENT - Microsoft MCSA?
NetworkChuck
10 CBT Nuggets GIVEAWAY!! - Get Your CCNA, MCSA, VCP, Security+
CBT Nuggets GIVEAWAY!! - Get Your CCNA, MCSA, VCP, Security+
NetworkChuck
11 3 Cisco CLI (Command-line) Hacks (CCNA) + CBT Nuggets WINNER ANNOUNCEMENT!!
3 Cisco CLI (Command-line) Hacks (CCNA) + CBT Nuggets WINNER ANNOUNCEMENT!!
NetworkChuck
12 Programmers Becoming Network Engineers? - Collab with SimpleProgrammer
Programmers Becoming Network Engineers? - Collab with SimpleProgrammer
NetworkChuck
13 Learning Python is HARD!! - CCNA | CCNP Network Engineer
Learning Python is HARD!! - CCNA | CCNP Network Engineer
NetworkChuck
14 You CAN Learn Python - 10 WINNERS!! - CCNA | CCNP Network Engineer
You CAN Learn Python - 10 WINNERS!! - CCNA | CCNP Network Engineer
NetworkChuck
15 Is it still WORTH IT to become a Network Engineer? | CCNA CCNP
Is it still WORTH IT to become a Network Engineer? | CCNA CCNP
NetworkChuck
16 Should I Learn LINUX with the CCNA | CCNP? - Network Engineer
Should I Learn LINUX with the CCNA | CCNP? - Network Engineer
NetworkChuck
17 Am I Too OLD to Become a Network Engineer? Study for CCNA | CCNP?
Am I Too OLD to Become a Network Engineer? Study for CCNA | CCNP?
NetworkChuck
18 How Much Money Do Network Engineers Make? - CCNA | CCNP
How Much Money Do Network Engineers Make? - CCNA | CCNP
NetworkChuck
19 How Long Does It Take to Become a Network Engineer? - CCNA | CCNP
How Long Does It Take to Become a Network Engineer? - CCNA | CCNP
NetworkChuck
20 Network Engineer or Systems Engineer? CCNA or MCSA? VCA?
Network Engineer or Systems Engineer? CCNA or MCSA? VCA?
NetworkChuck
21 CCNA Exam: 2 Exams or 1? - ICND1 (CCENT) + ICND2 or CCNA Composite?
CCNA Exam: 2 Exams or 1? - ICND1 (CCENT) + ICND2 or CCNA Composite?
NetworkChuck
22 I am officially a CBT Nuggets Trainer!! - NetworkChuck
I am officially a CBT Nuggets Trainer!! - NetworkChuck
NetworkChuck
23 7 CCNA CCNP Study Tips for the New Year - 2018!! w/ Keith Barker CCIE
7 CCNA CCNP Study Tips for the New Year - 2018!! w/ Keith Barker CCIE
NetworkChuck
24 Is NetworkChuck Over!?!?!
Is NetworkChuck Over!?!?!
NetworkChuck
25 Hack a Cisco Switch with a Raspberry Pi - CCNA Security - CCNP Security - Network+
Hack a Cisco Switch with a Raspberry Pi - CCNA Security - CCNP Security - Network+
NetworkChuck
26 STOP Buying IT Certification Books - CCNA | CCNP | A+ | Network+
STOP Buying IT Certification Books - CCNA | CCNP | A+ | Network+
NetworkChuck
27 I'm going to Cisco Live!!! - CiscoLIVE 2018 Orlando
I'm going to Cisco Live!!! - CiscoLIVE 2018 Orlando
NetworkChuck
28 How to become a DEVOPS Engineer feat. Shawn Powers | Linux+ | LPIC-1
How to become a DEVOPS Engineer feat. Shawn Powers | Linux+ | LPIC-1
NetworkChuck
29 Moving my HOME NETWORK to a DATA CENTER w/ DMVPN - CCNA | CCNP
Moving my HOME NETWORK to a DATA CENTER w/ DMVPN - CCNA | CCNP
NetworkChuck
30 The FUTURE of Information Security Engineers - Cisco Security Automation (DNA CENTER)
The FUTURE of Information Security Engineers - Cisco Security Automation (DNA CENTER)
NetworkChuck
31 Network Engineers and AWS (Amazon Web Services) FEAT. Anthony Sequeira | CCNA | CCENT
Network Engineers and AWS (Amazon Web Services) FEAT. Anthony Sequeira | CCNA | CCENT
NetworkChuck
32 Do You Need IT Certifications to Get Started in IT? ft. Jeremy Cioara
Do You Need IT Certifications to Get Started in IT? ft. Jeremy Cioara
NetworkChuck
33 What's next for NetworkChuck? *UPDATE* | CCNA | CCNP | Network Automation
What's next for NetworkChuck? *UPDATE* | CCNA | CCNP | Network Automation
NetworkChuck
34 HOW to Start Coding (RIGHT NOW!) as a Network Engineer - ICND1 | CCNA CCNP & Intent-Based Networking
HOW to Start Coding (RIGHT NOW!) as a Network Engineer - ICND1 | CCNA CCNP & Intent-Based Networking
NetworkChuck
35 6 STEPS to IT CAREER SUCCESS!! - ft. Kevin Wallace | CCNA | CCNP | CCIE | Network+
6 STEPS to IT CAREER SUCCESS!! - ft. Kevin Wallace | CCNA | CCNP | CCIE | Network+
NetworkChuck
36 What is SD-WAN? say GOODBYE to MPLS, DMVPN, iWAN... w/ SDN, Cisco and Viptela
What is SD-WAN? say GOODBYE to MPLS, DMVPN, iWAN... w/ SDN, Cisco and Viptela
NetworkChuck
37 What if you forgot EVERYTHING? - Re-Learning IT after MEMORY LOSS w/ Shawn Powers | Linux | CCNA
What if you forgot EVERYTHING? - Re-Learning IT after MEMORY LOSS w/ Shawn Powers | Linux | CCNA
NetworkChuck
38 I (FINALLY!) Scheduled Cisco CCNP Certification Exam TSHOOT | 300-135
I (FINALLY!) Scheduled Cisco CCNP Certification Exam TSHOOT | 300-135
NetworkChuck
39 NetworkChuck 10 Days of Christmas 2018 - CBT Nuggets | David Bombal | Kevin Wallace (and more!!)
NetworkChuck 10 Days of Christmas 2018 - CBT Nuggets | David Bombal | Kevin Wallace (and more!!)
NetworkChuck
40 How To get a JOB with a CCNA (Network Engineer) |  CCNA Routing and Switching
How To get a JOB with a CCNA (Network Engineer) | CCNA Routing and Switching
NetworkChuck
41 The ONE Skill You NEED in IT - Information Technology
The ONE Skill You NEED in IT - Information Technology
NetworkChuck
42 Should I start Learning AWS?? - NetworkChuck AMA - Ask Me Anything
Should I start Learning AWS?? - NetworkChuck AMA - Ask Me Anything
NetworkChuck
43 Using Arduino, Raspberry Pi and Python to Monitor Cisco Router - #DEVNET CCNA
Using Arduino, Raspberry Pi and Python to Monitor Cisco Router - #DEVNET CCNA
NetworkChuck
44 Fighting IMPOSTER SYNDROME in Information Technology - Network Engineer | System Engineer | CCNA
Fighting IMPOSTER SYNDROME in Information Technology - Network Engineer | System Engineer | CCNA
NetworkChuck
45 Planning for 2019 - Information Technology Goals - CCNA | AWS | MCSA
Planning for 2019 - Information Technology Goals - CCNA | AWS | MCSA
NetworkChuck
46 CompTIA or Cisco? - Revisiting CCENT vs Network+ in 2019 | CCNA | MTA | MCSA
CompTIA or Cisco? - Revisiting CCENT vs Network+ in 2019 | CCNA | MTA | MCSA
NetworkChuck
47 5 Reasons You Shouldn't Become a Network Engineer | CCNA | Information Technology
5 Reasons You Shouldn't Become a Network Engineer | CCNA | Information Technology
NetworkChuck
48 No Future for Network Engineers? - CCNA | CCNP
No Future for Network Engineers? - CCNA | CCNP
NetworkChuck
49 What is a VMware Engineer? | VMware Certified Professional - VCP | MCSA | CCNA
What is a VMware Engineer? | VMware Certified Professional - VCP | MCSA | CCNA
NetworkChuck
50 you didn't win...
you didn't win...
NetworkChuck
51 Let's QoS My Home Network - LIVE NUGGET (Quality of Service) - CCNA - CCNP Collaboration
Let's QoS My Home Network - LIVE NUGGET (Quality of Service) - CCNA - CCNP Collaboration
NetworkChuck
52 I PASSED THE TSHOOT EXAM!! - CCNP TSHOOT (I also failed)
I PASSED THE TSHOOT EXAM!! - CCNP TSHOOT (I also failed)
NetworkChuck
53 David Bombal and NetworkChuck - This is IT! EP 1 | Azure, CiscoLIVE, Devnet
David Bombal and NetworkChuck - This is IT! EP 1 | Azure, CiscoLIVE, Devnet
NetworkChuck
54 CCNA Lab in the Azure Cloud for FREE! - GNS3 Setup in Microsoft Azure
CCNA Lab in the Azure Cloud for FREE! - GNS3 Setup in Microsoft Azure
NetworkChuck
55 Get your CCNA in 2019
Get your CCNA in 2019
NetworkChuck
56 CCNA Cyber Ops vs CCNA Security
CCNA Cyber Ops vs CCNA Security
NetworkChuck
57 WI-FI 6, Why it's the BIGGEST update to Wi-Fi EVER! - 802.11ax
WI-FI 6, Why it's the BIGGEST update to Wi-Fi EVER! - 802.11ax
NetworkChuck
58 2 Steps to Getting Started in Networking (and IT!) | CCENT | CompTIA A+
2 Steps to Getting Started in Networking (and IT!) | CCENT | CompTIA A+
NetworkChuck
59 HACK your IT Study Habits - CCENT - CCNA - A+ | Atomic Habits
HACK your IT Study Habits - CCENT - CCNA - A+ | Atomic Habits
NetworkChuck
60 Is MPLS DEAD?!? w/ Keith Barker and Jason Gooley | CCNA CCNP CCIE
Is MPLS DEAD?!? w/ Keith Barker and Jason Gooley | CCNA CCNP CCIE
NetworkChuck

Related Reads

📰
Auto-Fix is not the Problem. The Signal is the Problem.
Learn why auto-fixing vulnerabilities can introduce risk without security benefits and how AI can improve the process by investigating findings in context
Dev.to AI
📰
Card Testing Fraud: How the $1 Charge Storm Works and How to Stop It
Learn how card testing fraud works and how to prevent it from turning your donation form into a validator for stolen cards
Dev.to · ABDULLAH AFZAL
📰
Understanding CORS Preflight Requests
Learn how CORS preflight requests work and why they're essential for web security, using HTTP OPTIONS to enable cross-origin resource sharing
Dev.to · Alireza Hassankhani
📰
Reproduce an OAuth Refresh-Token Rotation Race With Two Requests
Learn to reproduce an OAuth refresh-token rotation race with two requests to test atomic replacement and safe token-family revocation
Dev.to · jaryn

Chapters (16)

npm install just became DANGEROUS
0:41 How the attack happened
0:52 What is Axios? (and why you probably have it)
1:39 The account takeover
2:20 The ONE line of code that did it all
3:06 How it was discovered
3:32 The postinstall dropper
4:08 The RAT payload (Mac, Windows, Linux)
4:28 The self-destruct (no evidence left)
4:40 What IS a supply chain attack?
4:55 The coffee analogy
5:51 Are YOU affected? Let's check together
6:34 Checking for the RAT on your system
6:51 What to do if you're compromised
7:50 Prayer
9:19 BONUS: Pikachu explains supply chain attacks
Up next
Is your free email putting your bank account at risk? #Podcast #Interview #Efani #BankAccounts
efani
Watch →