How we caught the Axios supply chain attack
Suspected DPRK state actors compromised the highly popular Axios npm package by taking over a maintainer's account and publishing malicious versions that deployed a cross-platform RAT via a phantom dependency. Concurrently, a threat group named TeamPCP conducted a cascading supply chain attack affecting Trivy, LiteLLM, and Telnyx to harvest CI/CD credentials. These incidents underscore the critical need for automated package monitoring, rapid credential rotation, and delayed dependency updates.
Authors: Elastic Security Labs
Source:
Elastic Security Labs
Key Takeaways
- The popular Axios npm package was compromised by suspected DPRK state actors via a maintainer account takeover.
- Malicious Axios versions (1.14.1 and 0.30.4) utilized a phantom dependency named 'plain-crypto-js' to execute a postinstall hook that deployed a cross-platform RAT.
- A separate threat actor, TeamPCP, executed a cascading supply chain attack compromising the Trivy GitHub Action, LiteLLM, and Telnyx packages to steal CI/CD secrets.
- Elastic released an open-source proof-of-concept tool ('supply-chain-monitor') that uses LLMs to analyze package diffs and detect malicious changes.
- Implementing a 'soak time' (e.g., a 7-day delay) for package updates is strongly recommended to prevent immediate ingestion of compromised dependencies.
Affected Systems
- npm (Axios package users)
- PyPI (LiteLLM and Telnyx package users)
- GitHub Actions (Trivy-action users)
- CI/CD Pipelines
- Developer Workstations
Attack Chain
In the Axios attack, suspected DPRK actors compromised a maintainer's npm account, changed the associated email to a ProtonMail address, and published malicious versions (1.14.1 and 0.30.4). These versions included a phantom dependency called 'plain-crypto-js' which executed a postinstall hook to deploy a cross-platform RAT. In a separate campaign, TeamPCP compromised the Trivy GitHub Action to steal CI/CD pipeline secrets. These stolen credentials were then used to compromise the LiteLLM and Telnyx PyPI packages, injecting credential stealers, steganographic payloads hidden in WAV files, and disguised persistence mechanisms.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Elastic Security Labs
The article notes that Elastic Security Labs has published a separate technical blog post containing hunting and detection rules for Linux, Windows, and macOS, though the rules themselves are not included in this text.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions (like Elastic Defend) successfully detected the post-exploitation behavior, such as the malicious postinstall hooks and RAT execution on affected hosts. Network Visibility: Medium — Network telemetry can capture the download of phantom dependencies (plain-crypto-js) and subsequent C2 communications, though C2 traffic may blend with legitimate web traffic. Detection Difficulty: Moderate — While detecting the initial supply chain compromise requires specialized diffing tools, the resulting execution of postinstall hooks and disguised binaries is highly visible to standard behavioral detection rules.
Required Log Sources
- Process Creation
- File Creation
- Network Connections
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for package manager processes (e.g., npm, pip) spawning unexpected child processes like shells or scripts, which may indicate malicious pre/post-install hooks. | Process Creation | Execution | Medium |
| Identify processes masquerading as legitimate Windows binaries (e.g., msbuild.exe) executing from non-standard directories. | Process Creation | Defense Evasion | Low |
Control Gaps
- Lack of automated behavioral analysis and diffing for new package versions before CI/CD ingestion.
- Immediate pulling of latest package versions without a soak time.
Key Behavioral Indicators
- Execution of postinstall scripts originating from unknown or phantom dependencies.
- Unexpected network connections initiated by package manager processes during installation.
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Audit environments and CI/CD pipelines for the presence of Axios versions 1.14.1 and 0.30.4, or the 'plain-crypto-js' dependency.
- Rotate all CI/CD secrets, cloud credentials, and API keys if the compromised versions of Trivy-action, LiteLLM, or Telnyx were used.
Infrastructure Hardening
- Implement a soak time for package updates using native package manager configurations (e.g., 'npm config set min-release-age 7' or 'pnpm config set minimum-release-age 10080').
- Integrate automated package diffing and LLM-assisted analysis tools (like the open-source supply-chain-monitor) into the dependency ingestion pipeline.
User Protection
- Ensure EDR agents are deployed and active on all developer workstations to catch malicious postinstall hooks.
Security Awareness
- Educate development teams on the risks of supply chain attacks, phantom dependencies, and the importance of verifying package integrity.
MITRE ATT&CK Mapping
- T1195.001 - Compromise Software Dependencies and Development Tools
- T1078 - Valid Accounts
- T1059 - Command and Scripting Interpreter
- T1027.003 - Steganography
- T1552 - Forged Web Credentials
- T1036.005 - Masquerading: Match Legitimate Name or Location
Additional IOCs
- File Paths:
msbuild.exe- Windows persistence implant disguised as the legitimate msbuild.exe binary during the Telnyx compromise.
- Other:
aquasecurity/trivy-action- GitHub Action compromised by TeamPCP to harvest CI/CD secrets.litellm- PyPI package compromised by TeamPCP using stolen credentials to deploy credential stealers.telnyx- PyPI package compromised by TeamPCP to deploy steganographic payloads and Windows persistence.