Axios Supply Chain Incident: Indicators of Compromise

On March 30th, the popular HTTP client library Axios was compromised for three hours, during which time certain versions were infected with a malicious dependency, [email protected], that deployed a Remote Access Trojan (RAT) via a postinstall hook. This RAT allowed attackers to execute arbitrary code, enumerate files, and inject processes across different platforms by downloading platform-specific payloads immediately after installation. The compromised Axios versions, which included [email protected] and [email protected], were removed from the NPM registry to prevent further spread. Users are advised to assume system credential compromise, quarantine affected machines, and rotate credentials. Detection involves checking for specific artifacts and network traffic patterns, such as HTTP POST requests to a command and control server. Cleanup requires clearing caches, deleting affected package versions from private registries, and ensuring no lingering malicious dependencies remain in CI/CD environments. Developers should be cautious of IDE extensions, like the NX Console for VSCode, which might inadvertently fetch these compromised dependencies despite version pinning in lockfiles.