嗯,用户让我用中文总结这篇文章,控制在100字以内,而且不需要特定的开头。首先,我需要快速浏览文章内容,抓住主要信息。 文章讲的是攻击者劫持了Axios的npm账户,传播远程访问木马。Axios是一个使用广泛的库,每周下载量超过1亿次。攻击者发布了恶意版本,影响了多个操作系统。安全公司检测到这些恶意更新,并指出攻击者可能入侵了维护者的账户。恶意软件通过隐藏依赖传播,并在安装后删除痕迹。 接下来,我需要将这些要点浓缩成100字以内。要确保包含关键元素:攻击者、Axios、npm账户、传播RAT、影响范围、恶意版本、隐藏依赖、删除痕迹等。 可能的结构是:攻击者劫持Axios npm账户,发布恶意版本传播RAT,影响多系统。安全公司发现异常,怀疑维护者账户被入侵。恶意软件隐藏依赖并删除痕迹。 现在检查字数是否在限制内,并确保信息准确无误。 </think> 攻击者劫持Axios npm账户,发布恶意版本传播远程访问木马(RAT),影响Linux、Windows和macOS系统。安全公司检测到异常后发现,恶意软件通过隐藏依赖传播,并在安装后删除自身痕迹以避免被发现。 2026-3-31 18:30:27 Author: securityaffairs.com(查看原文) 阅读量:4 收藏
Attackers hijack Axios npm account to spread RAT malware
Threat actors hijacked the npm account of Axios to distribute RAT malware via malicious package updates.
Threat actors compromised the npm account of Axios, a widely used library with over 100M weekly downloads, and published malicious versions to spread remote access trojans across Linux, Windows, and macOS. The supply chain attack was identified by multiple security firms after the rogue updates appeared on the npm registry.
Malicious versions of Axios (1.14.1 and 0.30.4) were published within an hour without OIDC verification or matching GitHub commits, raising immediate red flags. Researchers believe attackers compromised maintainer Jason Saayman’s npm account.
“Anyone who installed either version before the takedown should assume their system is compromised. The malicious versions inject a dependency (plain-crypto-js) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux.” read the report published by Aikido Security.
The impact is unclear, but given Axios’ ~400M monthly downloads, many downstream projects may have been exposed during the brief attack window.
Socket researchers reported that a malicious package called [email protected] was published and detected within minutes, likely as part of a coordinated attack targeting Axios. Attackers inserted this dependency into two compromised Axios versions, allowing malware to spread through a trusted library used by millions of projects. Because many developers rely on automatic updates, affected versions could be installed without notice.
The malicious code was designed to stay hidden. It used obfuscation techniques to avoid detection and ran automatically during installation through a post-install script. Once executed, it checked the operating system (Windows, macOS, or Linux) and downloaded a second-stage payload tailored to each platform. In the case of macOS, researchers confirmed the delivery of a fully functional remote access trojan (RAT) capable of collecting system information, communicating with a command-and-control server, and executing commands.
“Security researcher Joe Desimone from Elastic Security captured and reverse-engineered the macOS second-stage binary before the C2 went offline. The payload is a fully functional remote access trojan written in C++.” reads the report published by Socket.
To avoid being discovered, the malware removed its own traces after running. It deleted installation files and restored clean-looking package content, making the infected library appear normal. The experts believe the attack was possible due to the compromise of a maintainer account, enabling unauthorized publishing of malicious updates.
Given the huge number of Axios downloads, the potential impact is significant, even though the exposure window was relatively short.
Socket security researchers found two more packages spreading the same malware through hidden dependencies linked to Axios. The package @shadanai/openclaw included the malicious plain-crypto-js deep inside its code, using identical obfuscation, command-and-control infrastructure, and self-deleting behavior. Another package, @qqbrowser/openclaw-qbot, used a different method by bundling a tampered Axios version that silently installed the malicious dependency.
In both cases, the infection likely happened automatically when these projects pulled the compromised Axios release. This shows how a single poisoned dependency can quickly spread across many projects, especially with automated builds and fast package publishing pipelines.
To check if you’re affected by the Axios attack, verify if your project includes malicious versions (1.14.1 or 0.30.4) or the hidden plain-crypto-js package. Look for leftover files or RAT artifacts on macOS, Windows, or Linux systems. Even if some files were removed, traces may remain. Alternatively, use automated tools like Aikido to scan dependencies and quickly detect any compromised packages.
Both Socket and Aikido provided Indicators of compromise (IOCs) for this supply chain attack.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, supply chain attack)
如有侵权请联系:admin#unsafe.sh