Attention to all developers using Axios! If you are using one of the following versions of the axios npm package (v1.14.1 or v0.30.4), you should check your servers and computers immediately due to a malicious “phantom dependency” called plain-crypto-js.
What happened? Recently, many social engineering attacks have targeted library developers. It is believed that a similar attack occurred against the maintainer of the axios library. Logs indicate that “nrwise” was added as another author on the npm push logs of axios.
For this reason, it is highly recommended to implement robust supply chain safety checks within each CI/CD pipeline. Your computers running JavaScript projects may already be compromised.
The Core Issue: plain-crypto-js
What was injected? As mentioned earlier, a package named plain-crypto-js was injected as a dependency into the axios package by the attackers. The name is a typosquatting strategy designed to resemble crypto-js, a legitimate package used for cryptographic functionalities.
How the injection occurs In the package.json file of the affected package, there is a “postinstall” procedure that automatically launches setup.js during installation. The malicious code resides within setup.js.
Once deobfuscated, the script executes the following on Windows (it uses a different method for Linux and macOS):
- Downloads a PowerShell script from the C2 server.
- Executes it using reflective DLL injection.
- Establishes registry persistence.
Mitigation
To clean up your windows environment specifically, perform the following steps:
- Block all HTTP requests to the address sfrclak.com.
- Block all connections to IP 142.11.206.73.
- Scan for temporary files with the prefix %TEMP%/6202033.*.
- Delete the following files:
- %ProgramData%\wt.exe
- %ProgramData%\system.bat
- Remove the registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run (specifically the entry named MicrosoftUpdate).
Leave a Reply to anonymous Cancel reply