Skip to content
.ca
sign in
4 mincritical

Axios npm package compromised to deploy malware

A supply chain attack compromised the widely used Axios npm package (versions 1.14.1 and 0.30.4) following a maintainer account takeover. The malicious packages deploy a cross-platform remote access trojan (RAT) during installation, which fetches second-stage payloads and actively evades forensic detection by cleaning up artifacts and altering package metadata.

Sens:ImmediateConf:highAnalyzed:2026-03-31reports

Authors: Sophos Counter Threat Unit Research Team

ActorsNukeSped
AxiosSupply Chain AttacknpmRAT

Source:Sophos

IOCs · 2
  • npm_package
    axios@0.30.4Compromised Axios package version containing malicious dependency
  • npm_package
    axios@1.14.1Compromised Axios package version containing malicious dependency

Key Takeaways

  • Axios npm package versions 1.14.1 and 0.30.4 were compromised via a maintainer account takeover.
  • The compromised packages introduce a malicious dependency that executes during installation.
  • The payload deploys a cross-platform remote access trojan (RAT) that fetches second-stage payloads from a C2 server.
  • The malware actively evades detection by removing installation artifacts and replacing its own package metadata with a clean version.

Affected Systems

  • Node.js applications using Axios versions 1.14.1 and 0.30.4
  • Web applications using Axios versions 1.14.1 and 0.30.4
  • Developer endpoints and CI/CD pipelines installing the affected packages

Attack Chain

An attacker compromised a legitimate Axios maintainer account and published unauthorized, malicious updates (versions 1.14.1 and 0.30.4) to the npm registry. Upon installation by a victim, a malicious dependency executes and deploys a cross-platform remote access trojan (RAT). The RAT communicates with a command and control (C2) server to download platform-specific second-stage payloads. Finally, the malware deletes installation artifacts and replaces its package metadata with clean versions to evade forensic analysis.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Sophos

Sophos provides endpoint protection signatures (JS/Agent-BLYB, Troj/PSAgent-CN, Troj/PyAgent-BZ, OSX/NukeSped-CB) to detect the threat.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the post-exploitation RAT behavior and second-stage payload execution, but the initial npm install script execution might blend in with normal developer activity. Network Visibility: Medium — Network monitoring could detect the C2 communication for the second-stage payload, provided the C2 indicators are known or the traffic exhibits anomalous patterns. Detection Difficulty: Moderate — The malware actively cleans up artifacts and alters metadata, making forensic detection difficult. Detection relies heavily on catching the installation execution or subsequent C2 traffic.

Required Log Sources

  • Process Creation Logs
  • Network Connection Logs
  • File System Modifications

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unusual child processes spawned by npm or node during package installation, especially those making external network connections.Process Creation, Network ConnectionsExecutionMedium
Identify file deletion events or metadata modifications targeting npm package directories immediately following a package installation.File System ModificationsDefense EvasionLow

Control Gaps

  • Lack of strict package version pinning
  • Insufficient monitoring of developer endpoints and CI/CD pipelines

Key Behavioral Indicators

  • npm or node processes initiating unexpected outbound network connections
  • File deletion events immediately following npm package installations

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify and remove Axios versions 1.14.1 and 0.30.4 from all environments.
  • Downgrade or upgrade to a known safe version of Axios.

Infrastructure Hardening

  • Implement strict dependency pinning and lockfiles to prevent automatic updates to compromised versions.
  • Use private npm registries or proxies that scan for known malicious packages.

User Protection

  • Ensure endpoint protection is updated with the latest signatures to detect the RAT payloads (e.g., Sophos signatures).

Security Awareness

  • Educate developers on the risks of supply chain attacks and the importance of verifying package integrity.

MITRE ATT&CK Mapping

  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
  • T1078 - Valid Accounts
  • T1059 - Command and Scripting Interpreter
  • T1105 - Ingress Tool Transfer
  • T1070.004 - Indicator Removal: File Deletion

Additional IOCs

  • Other:
    • JS/Agent-BLYB - Sophos detection signature for the JavaScript agent
    • Troj/PSAgent-CN - Sophos detection signature for the PowerShell agent
    • Troj/PyAgent-BZ - Sophos detection signature for the Python agent
    • OSX/NukeSped-CB - Sophos detection signature for the macOS NukeSped variant

Related