What Happened?
An attacker gained access to the npm credentials of an axios maintainer and released two
malicious packages to the npm registry. (version 1.14.1 and version 0.30.4). These versions
introduced a remote access trojan (RAT) adding plain-crypto-js as a dependency. It’s purpose was to run a postinstall script that
would download platform-specific payloads from a remote server and execute them. The payload itself is the RAT and allows the attacker to gain access to the
victim’s system and establish a persistent backdoor.
What to do now?
Immediate Actions
Pin your axios version to safe versions
npm install axios@1.14.0Remove any malicious dependencies & clean install
rm -rf node_modules/plain-crypto-js
npm ciIf you have any compromised versions of axios, treat it as if it’s compromised and rotate all your keys or secrets.
- npm token
- API keys and secrets
- AWS credentials
- Database credentials
- Any other sensitive information
CI/CD Pipeline
- Within your CI/CD pipelines like GitHub Actions, you should always use
npm cithis will read from your lockfile exactly and never resolve to “latest” - Disable any postinstall scripts in CI.
npm ci --ignore-scripts - Run
npm audit --audit-level=high || exit 1to check for any vulnerabilities that are found and exit if found. - Always pin your
package.jsonto specific versions instead of ranges. - Set a minimum release age. This will not use any packages that have been released within the last 3 days.
- add to your ~/.npmrc file.
minReleaseAge=3
- add to your ~/.npmrc file.