Skip to content
.ca
sign in
4 mincritical

Axios Maintainer Confirms Social Engineering Attack Behind npm Compromise

The lead maintainer of the widely used Axios npm package fell victim to a sophisticated social engineering attack. Attackers tricked the maintainer into installing a Remote Access Trojan (RAT) during a fake MS Teams meeting, enabling session hijacking that bypassed 2FA and allowed the unauthorized publication of malicious Axios versions to the npm registry.

Conf:highAnalyzed:2026-04-03reports
ActorsUNC group targeting cryptocurrency/AI
AxiosSocial EngineeringSession HijackingnpmSupply Chain

Source:Socket

Key Takeaways

  • The lead maintainer of the Axios npm package was compromised via a highly targeted social engineering campaign.
  • Attackers masqueraded as a legitimate company, using a convincing Slack workspace and staged MS Teams meetings to build trust.
  • The maintainer was tricked into installing a Remote Access Trojan (RAT) disguised as a required software update for MS Teams.
  • The RAT enabled attackers to hijack active browser sessions and cookies, completely bypassing 2FA and OIDC protections.
  • Attackers used the hijacked access to publish malicious versions of Axios to npm.

Affected Systems

  • macOS
  • Windows
  • Linux
  • npm ecosystem
  • Developer endpoints

Attack Chain

Attackers masqueraded as a legitimate company and invited the Axios maintainer to a convincing, branded Slack workspace. They subsequently scheduled an MS Teams meeting and prompted the maintainer to install a fake update to join the call. This update was actually a Remote Access Trojan (RAT) that granted the attackers control over the maintainer's machine. The attackers then hijacked active browser sessions and cookies to bypass 2FA, ultimately using the maintainer's authenticated state to publish malicious versions of the Axios package to npm.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the article.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions are highly capable of detecting the execution of unexpected binaries downloaded from browsers or communication apps, as well as unauthorized access to browser cookie stores by unknown processes. Network Visibility: Medium — Network monitoring might catch the initial download of the RAT or subsequent C2 traffic, but the initial social engineering occurred over legitimate, encrypted channels (Slack, MS Teams). Detection Difficulty: Moderate — While the social engineering aspect is difficult to detect technically, the execution of a RAT disguised as an update and subsequent cookie theft are well-known behaviors that standard EDRs should flag if properly configured.

Required Log Sources

  • Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
  • File Creation Logs
  • Browser Access Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for suspicious child processes spawned by communication applications (e.g., Slack, MS Teams, web browsers) that write executable files to disk and subsequently execute them.Process creation and file creation eventsExecutionMedium
Monitor for unauthorized or uncommon processes attempting to read browser cookie databases (e.g., Chrome/Edge/Firefox profile directories) to detect potential session hijacking.File access logs and process monitoringCredential AccessLow

Control Gaps

  • MFA/2FA Bypass via Session Hijacking
  • Trust in unverified third-party communications and meeting invites
  • Lack of endpoint protection preventing the initial RAT execution

Key Behavioral Indicators

  • Unexpected executable downloads prompted during web meetings
  • Unknown processes accessing browser cookie stores
  • Abnormal child processes originating from MS Teams or Slack

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Audit npm and GitHub logs for unauthorized access or publishing events.
  • Revoke all active sessions, clear cookies, and rotate credentials if a compromise is suspected.
  • Wipe and reformat any devices suspected of being compromised by a RAT.

Infrastructure Hardening

  • Implement hardware security keys (FIDO2) for all critical accounts to mitigate phishing.
  • Enforce strict device management and endpoint protection (EDR) on maintainer machines.

User Protection

  • Deploy EDR solutions to monitor for suspicious file executions and cookie theft.
  • Isolate open-source maintenance environments (e.g., using VMs or dedicated devices) from general web browsing and communications.

Security Awareness

  • Train developers and maintainers on advanced social engineering tactics, including fake company personas, cloned identities, and staged meetings.
  • Establish strict verification protocols for new corporate partnerships, collaborations, or software update prompts during meetings.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1204.002 - User Execution: Malicious File
  • T1539 - Steal Session Cookie
  • T1185 - Browser Session Hijacking
  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain

Related