news.volyx.in

Axios compromised on NPM – Malicious versions drop remote access trojan (stepsecurity.io)

1934 points by mtud · 107 days ago · 807 comments on HN

Article summary

The axios JavaScript library was compromised on npm with two malicious versions, axios@1.14.1 and axios@0.30.4, which inject a new dependency that acts as a remote access trojan. The malicious versions were published using a compromised npm account, bypassing the project's normal GitHub Actions CI/CD pipeline. The attack was sophisticated, with the malicious dependency pre-staged 18 hours in advance and designed to self-destruct after execution. Users who installed the malicious versions are advised to assume their system is compromised.

Main themes

  • npm security
  • supply chain attacks
  • package manager vulnerabilities
  • JavaScript ecosystem
  • dependency management
  • security best practices

What commenters say

  • The frequency and magnitude of supply chain attacks on npm are a major concern and a reason to consider alternative package managers.
  • Avoiding JavaScript or npm is not a viable solution to preventing supply chain attacks, as other languages and package managers have similar vulnerabilities.
  • The use of semver operators and lack of package namespacing on npm contribute to the risk of supply chain attacks.
  • Implementing a delay in dependency updates could help mitigate the risk of supply chain attacks, but may not be a long-term solution.
  • The compromise of axios highlights the need for improved security practices and vigilance in the JavaScript ecosystem.
  • The use of post-install scripts and transitive dependencies in package managers like npm increases the risk of supply chain attacks.
  • Other package managers, such as Maven, have more robust security features and practices that could be adopted by npm.
  • The compromise of credentials, such as access tokens, is a significant risk factor in supply chain attacks and highlights the need for improved security measures.