Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account
Summary
A supply chain attack has targeted the popular Axios HTTP client for Node.js. Versions 1.14.1 and 0.30.4 of the npm package were compromised, introducing a malicious dependency called "plain-crypto-js" version 4.2.1. This malicious package was injected using the compromised npm credentials of a primary Axios maintainer.
IFF Assessment
This attack compromises a widely used software component, potentially affecting numerous downstream applications and increasing the attack surface for defenders.
Defender Context
This incident highlights the ongoing risks associated with supply chain attacks, where the compromise of a single popular library can have widespread implications. Defenders should prioritize vetting dependencies, implementing robust software composition analysis (SCA) tools, and maintaining a strong security posture for their CI/CD pipelines.