Unit 42 discusses the supply chain attack targeting Axios. Learn about the full attack chain, from the dropper to forensic cleanup.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 researchers detail a supply chain attack targeting the Axios JavaScript library after an npm maintainer account was hijacked. Malicious versions v1.14.1 and v0.30.4 injected a hidden dependency called plain-crypto-js, which acted as a cross-platform RAT affecting Windows, macOS, and Linux. The dropper used obfuscation (Base64, XOR), triggered via npm postinstall hooks, and fetched platform-specific payloads from a C2 server. All three OS variants shared the same RAT framework with identical C2 protocol. The attack overlaps with DPRK-linked threat actor WAVESHAPER. Forensic cleanup occurred within 15 seconds of installation. Mitigations include auditing for compromised versions, rotating all credentials, pinning dependencies to safe versions, blocking C2 traffic, and hardening CI/CD pipelines with --ignore-scripts.

Threat Brief: Widespread Impact of the Axios Supply Chain Attack

Palo Alto Networks Product Protections for the Axios Supply Chain Attack