Overview

On March 31, NSFOCUS CERT detected that the npm repository of the HTTP client library Axios was poisoned by the supply chain. The attacker bypassed the normal GitHub Actions CI/CD pipeline of the project, changed the account email address of the axios maintainer to an anonymous ProtonMail address, and manually released a malicious version with a Trojan backdoor through the npm CLI. When the user installs it, a persistent remote control will be established on the host. The impact is wide-ranging, and relevant users are requested to take measures for investigation and protection as soon as possible.

Axios is an open source JavaScript HTTP client based on Promise, widely used in browsers and Node.js environments.

Reference link: https://github.com/axios/axios/issues/10604

Scope of Impact

Affected versions

• axios = 1.14.1
• axios = 0.30.4

Note: Windows, macOS, and Linux systems are all affected, with more than 300 million downloads per week.

Unaffected versions

• axios <= 1.14.0
• axios <= 0.30.3

Event Analysis

The attackers stole and took over the npm and GitHub accounts of Jason Saayman, the main maintainer of the Axios project, and changed his email address to an anonymous ProtonMail address: [email protected], the attacker first pre-arranges a clean [email protected] through a separate one-time account [email protected] to establish an npm release history and circumvent security tools’ detection alarms for new packages; After 18 hours, the malicious package [email protected] was updated on npm, bypassing the normal GitHub Actions process to release the malicious versions [email protected]. and [email protected], and adding [email protected] as a runtime dependency; Plain-crypto-js will execute the setup.js malicious script (RAT dropper) during installation, which will detect the current system and distribute different remote control payloads according to the three platforms of macOS, Windows, and Linux.

The attacker implanted self-destruct logic in setup.js. After the Trojan backdoor is executed, it will automatically delete its own script files, delete package.json with malicious hooks, and replace them with clean disguise files prepared in advance.

Event timeline:

• 3/30 05:57:32 UTC, the attacker created [email protected] (clean camouflage package)
• 3/30 23:59:12 UTC, the attacker released [email protected] malicious payload 3/31 00:21:58 UTC, the attacker released [email protected] malicious version through npm CLI
• 3/31 01:00:57 UTC, The attacker released the malicious version of [email protected] through npm CLI 3/31 02:30 UTC, and deleted the alarm issue
• 3/31 03:40:46 UTC with administrator privileges. npm removed the malicious version and revoked all tokens
• 3/31 NSFOCUS CERT issued an early warning notice

Risk Investigation

Relevant users can conduct troubleshooting according to the following steps:

1. Use the following command to check whether there is a malicious version of Axios in the project

2. Check the CI/CD pipeline log to see if there is any npm install/npm update operation for pulling or installing a new version of Axios

3. Check whether there is a malicious dependency package plain-crypto-js in node_modules

Note: If package.json is a clean stub, it means that the backdoor Trojan has been run.

Users can use the command of the corresponding system to check whether there is a backdoor Trojan on the affected host:

Summary and Recommendations

This incident has once again sounded the alarm for supply chain security in the front-end ecosystem and open source community. Units must establish a normalized open source component security audit mechanism and build a complete supply chain security governance system to prevent such threats.

It is recommended that affected users take the following measures:

1. Immediately downgrade axios to a safe version and force all indirect dependencies of the project to use:

2. Remove plain-crypto-js from node_modules, clear the npm cache and reinstall dependencies:

3. Revoke and rotate all system npm tokens, SSH keys, cloud account keys, CI/CD keys, database passwords and other credentials;

4. Block and investigate malicious IoCs; 

5. Implement the principle of least privilege, limit the access scope of CI/CD tools, and rotate credentials regularly;

6. Establish a normalized open source component audit mechanism and increase multiple approval processes before release.

IOCs

Malicious files

File name: [email protected]

SHA1: 2553649f2322049666871cea80a5d0d6adc700ca

File name: [email protected]

SHA1: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71

File name: [email protected]

SHA1: 07d889e2dadce6f3910dcbc253317d28ca61c766

Malicious domain name/IP

• sfrclak.com
• callnrwise.com
• 142.11.206.73

Malicious URL

http://sfrclak.com:8000/6202033

Malicious mailbox

[email protected]

[email protected]

Others

User-Agent:mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.

Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.

Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.

The post Axios Front-End Library npm Supply Chain Poisoning Alert appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

*** This is a Security Bloggers Network syndicated blog from NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. authored by NSFOCUS. Read the original post at: https://nsfocusglobal.com/axios-front-end-library-npm-supply-chain-poisoning-alert/