Two malicious Axios npm releases have led to urgent warnings for developers to rotate credentials and treat affected systems as compromised following a supply chain attack. The compromised versions, [email protected] and [email protected], were found to include a dependency on [email protected], which is a malicious package that executed code automatically during installation before the releases could be removed from npm.
Cybersecurity company Socket reported the attack, emphasizing that the altered code could grant attackers remote access to infected devices. This vulnerability poses significant risks, enabling the potential theft of sensitive information including login credentials, API keys, and crypto wallet data. The incident highlights the expansive impact that a single compromised open-source component can have, affecting numerous applications and their users.
OX Security advised developers who utilized the compromised Axios versions to regard their systems as fully compromised and to promptly rotate key credentials, including API keys and session tokens. Socket noted the dependency on [email protected] was configured to execute automatically via a post-install script, facilitating unauthorized access to target systems without user intervention.
Developers are encouraged to audit their projects and dependency files for the affected Axios versions and remove or revert any compromised installations immediately. The frequency of supply chain vulnerabilities raises alarm, especially considering earlier incidents where breaches escalated from developer information to significant losses for users.
