Axios library suffers supply chain attack, hackers use stolen npm tokens to implant remote trojans, affecting approximately 80% of cloud environments.

Deep Tide TechFlow message, April 02, according to VentureBeat, attackers stole the npm access token of Axios’s lead maintainer of the most popular JavaScript HTTP client library and used that token to publish two malicious versions containing cross-platform remote access trojans (RATs) (axios@1.14.1 and axios@0.30.4), targeting macOS, Windows, and Linux systems. After the malicious packages were left on the npm registry for about 3 hours, they were removed.

According to data from the security firm Wiz, Axios is downloaded more than 100 million times per week and is present in about 80% of cloud and code environments. The security company Huntress detected the first batch of infections just 89 seconds after the malicious package went live, and during the exposure window confirmed that at least 135 systems were compromised.

It is worth noting that the Axios project had previously deployed modern security measures such as an OIDC trusted publishing mechanism and SLSA provenance proofs, but the attackers fully bypassed these defenses. The investigation found that while the project was configuring OIDC, it still retained the traditional long-lived NPM_TOKEN; when the two coexisted, npm defaulted to prioritizing the traditional token, allowing the attacker to complete the publication without having to break through OIDC.