"The threat actor published two malicious versions of the Axios package on the Node Package Manager (npm) registry, with one variant appearing at 00:21 UTC and another at 01:00 UTC. The packages lacked the automated OpenID Connect (OIDC) package origin, which should have triggered an alert."
"After gaining access to the package, the attacker injected a malicious dependency called plain-crypto-js@^4.2.1 into the package.json file, which executes a post-install script during installation, launching an obfuscated dropper that contacts a command-and-control server."
"On Windows, the attack utilizes VBScript and PowerShell to run a hidden Command Prompt window and execute a malicious script, indicating a sophisticated approach to the infection chain."
Hackers hijacked the npm account of the Axios package, a widely used JavaScript HTTP client, to deliver remote access trojans. Two malicious versions of the package were published on the npm registry, with the first appearing shortly after midnight UTC. The threat actor gained access by compromising the account of the main maintainer. The attack involved injecting a malicious dependency that executes a post-install script to contact a command-and-control server for further payloads. The potential impact on downstream projects is significant due to Axios's extensive usage.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]