Axios HTTP Client Compromise

On March 31st between 00:21 and 03:20 (UTC Time), an attacker compromised the NPM account of the head Axios maintainer and replaced a dependency with a heavily obfuscated Remote Access Trojan (RAT). Axios HTTP Client is one of the worlds most used clients with 400 million downloads a month. Any developer or CI/CD pipeline that ran an install during that 3 hours would have downloaded the malware and compromised the machine. Given the large amount of automation installs, this likely impacted thousands of organizations.

Kaseya & Datto Detection

The prevalence for MSPs and SMBs will be limited given that most are not building software leveraging Axios, but the impact for those affected is very high. Datto EDR and RocketCyber detect this type of attack and we detected and isolated two organizations during the incident window. We continue to threat hunt across all endpoints for Indicators of Compromise to determine if any post compromise activities have occurred.

A snippet from the alert detail (below) shows the malicious activity we detected. The attack copies the PowerShell executable (as wt.exe) into the ProgramData directory (on Windows), downloads the PowerShell script to the to the users Temp directory and then executes the payload with the hidden and bypass flags – generating Defensive Evasion Alert.

We have also seen similar alerts through integrations with Microsoft Defender for Business/Endpoint and other EDR products.

Technical Details

The compromise started with an account takeover of Axios head maintainer’s account (jasonsaayman) and then the attacker changed the account email to a ProtonMail address (ifstap@proton.me). Now in control, the attacker published a legitimate “plain-crypto-js@4.2.0” file to establish trust.

Approximately 18 hours later, the attacker compromised Axios version 1.14.1 and 0.30.4 by adding a hidden dependency named “plain-crypto-js@4.2.1”. This file acts as an obfuscated dropper to install the RAT on end systems. Installs, most automated, during this time automatically installed the cross platform RAT (Windows, Mac and Linux). After compromise, the malware deleted its own files and restored package.json to a clean state to evade detection and forensic analysis.

If you were running 1.14.0 or older you were not impacted. If you updated during on March 31st between 00:21 and 03:20 (UTC Time) you should assume compromise and wipe the machine.

The dropper is tracked as SILKBELL and, based on the OS, installs the RAT on Windows, macOS and Linux endpoints. The RAT is tracked as WAVESHAPER.V2 and beacons every 60 seconds to get commands from the threat actor, essentially gives them full control of the machine. It establishes persistence (on Windows) by creating a new Registry Run Key which launches the RAT on every login (key below):

Key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate
File: %PROGRAMDATA%system.bat

Google/Mandiant has attributed this to UNC1069, a North Korean threat actor group active since at least 2018.

Detection & IOCs

To determine if your NPM was compromised take these steps:

In every Node.js repository, search package-lock.json, pnpm-lock.yaml, or yarn.lock for: axios@1.14.1, axios@0.30.4, plain-crypto-js@4.2.1 – if found the endpoint is compromised. Additionally, the following command can be used “find node_modules -name plain-crypto-js -type d” – if the directory is found, the endpoint is comrpomised.

Looking for IoCs from the Dropper/RAT:

File System

Persistence (Windows Registry)

File Hash