Axios library suffers supply chain attack, hackers use stolen npm tokens to implant remote trojans, affecting approximately 80% of cloud environments.

Deep Tide TechFlow message, April 02, according to VentureBeat, attackers stole an npm access token of the lead maintainer of the JavaScript’ most popular HTTP client library, Axios, and used that token to publish two malicious versions containing cross-platform remote access trojans (RATs) (axios@1.14.1 and axios@0.30.4), targeting macOS, Windows, and Linux systems. The malicious packages were removed from the npm registry about 3 hours after being published.

According to data from the security company Wiz, Axios is downloaded more than 100 million times per week and is present in about 80% of cloud and code environments. Security company Huntress detected the first wave of infections just 89 seconds after the malicious packages went live, and confirmed at least 135 systems were compromised during the exposure window.

It’s worth noting that the Axios project had previously deployed modern security measures such as an OIDC trusted publishing mechanism and SLSA provenance proofs, but the attackers completely bypassed these defenses. The investigation found that while the project configured OIDC, it still retained the traditional long-lived NPM_TOKEN. When both coexisted, npm defaulted to the traditional token, enabling the attackers to complete the release without having to bypass OIDC.