Axios compromised on NPM – Malicious versions drop remote access trojan

 (stepsecurity.io)

321 points | by mtud 2 hours ago

30 comments

  • postalcoder 1 hour ago
    PSA: npm/bun/pnpm/uv now all support setting a minimum release age for packages.

    I also have `ignore-scripts=true` in my ~/.npmrc. Based on the analysis, that alone would have mitigated the vulnerability. bun and pnpm do not execute lifecycle scripts by default.

    Here's how to set global configs to set min release age to 7 days:

      ~/.config/uv/uv.toml
  exclude-newer = "7 days"

  ~/.npmrc
  min-release-age=7 # days
  ignore-scripts=true
  
  ~/Library/Preferences/pnpm/rc
  minimum-release-age=10080 # minutes
  
  ~/.bunfig.toml
  [install]
  minimumReleaseAge = 604800 # seconds
    (Side note, it's wild that npm, bun, and pnpm have all decided to use different time units for this configuration.)

    If you're developing with LLM agents, you should also update your AGENTS.md/CLAUDE.md file with some guidance on how to handle failures stemming from this config as they will cause the agent to unproductively spin its wheels.

    [-]
    • WD-42 0 minutes ago
      Props to uv for actually using the correct config path jfc
    • friendzis 1 minute ago
      > (Side note, it's wild that npm, bun, and pnpm have all decided to use different time units for this configuration.)

      First day with javascript?

    • superjan 20 minutes ago
      About the use of different units: next time you choose a property name in a config file, include the unit in the name. So not “timeout” but “timeoutMinutes”.
    • mhio 1 hour ago
      and for yarn berry

          ~/.yarnrc.yml
    npmMinimalAgeGate: "3d"
    • XYen0n 57 minutes ago
      If everyone avoids using packages released within the last 7 days, malicious code is more likely to remain dormant for 7 days.
      [-]
      • otterley 54 minutes ago
        What do you base that on? Threat researchers (and their automated agents) will still keep analyzing new releases as soon as they’re published.
      • cozzyd 55 minutes ago
        that's why people are telling others to use 7 days but using 8 days themselves :)
      • 3abiton 9 minutes ago
        This highly depends on the detection mechanism.
      • jmward01 53 minutes ago
        I suspect most packages will keep a mix of people at 7 days and those with no limit. That being said, adding jitter by default would be good to these features.
      • Aurornis 41 minutes ago
        Most people won’t.

        7 days gives ample time for security scanning, too.

      • DimmieMan 55 minutes ago
        They’re usually picked up by scanners by then.
      • bakugo 49 minutes ago
        > If everyone avoids using packages released within the last 7 days

        Which will never even come close to happening, unless npm decides to make it the default, which they won't.

  • h4ch1 1 hour ago
    I can't even imagine the scale of the impact with Axios being compromised, nearly every other project uses it for some reason instead of fetch (I never understood why).

    Also from the report:

    > Neither malicious version contains a single line of malicious code inside axios itself. Instead, both inject a fake dependency, plain-crypto-js@4.2.1, a package that is never imported anywhere in the axios source, whose only purpose is to run a postinstall script that deploys a cross-platform remote access trojan (RAT)

    Good news for pnpm/bun users who have to manually approve postinstall scripts.

    [-]
    • beart 1 hour ago
      > nearly every other project uses it for some reason instead of fetch (I never understood why).

      Fetch wasn't added to Node.js as a core package until version 18, and wasn't considered stable until version 21. Axios has been around much longer and was made part of popular frameworks and tutorials, which helps continue to propagate it's usage.

      [-]
      • seer 1 hour ago
        Also it has interceptors, which allow you to build easily reusable pieces of code - loggers, oauth, retriers, execution time trackers etc.

        These are so much better than the interface fetch offers you, unfortunately.

        [-]
        • reactordev 1 hour ago
          You can do all of that in fetch really easily with the init object.

             fetch('https://api.example.com/data', {
  headers: {
    'Authorization': 'Bearer ' + accessToken
  }
          })
          [-]
          • zdragnar 2 minutes ago
            There are pretty much two usage patterns that come up all the time:

            1- automatically add bearer tokens to requests rather than manually specifying them every single time

            2- automatically dispatch some event or function when a 401 response is returned to clear the stale user session and return them to a login page.

            There's no reason to repeat this logic in every single place you make an API call.

            Likewise, every response I get is JSON. There's no reason to manually unwrap the response into JSON every time.

            Finally, there's some nice mocking utilities for axios for unit testing different responses and error codes.

            You're either going to copy/paste code everywhere, or you will write your own helper functions and never touch fetch directly. Axios... just works. No need to reinvent anything, and there's a ton of other handy features the GP mentioned as well you may or may not find yourself needing.

          • mhio 1 hour ago
            What does an interceptor in the RequestInit look like?
        • meekins 1 hour ago
          It also supports proxies which is important to some corporate back-end scenarios
          [-]
    • eviks 1 hour ago
      > Good news for pnpm/bun users who have to manually approve postinstall scripts.

      Would they not have approved it for earlier versions? But also wouldn't the chance of addition automatic approval be high (for such a widely used project)?

      [-]
      • bpev 16 minutes ago
        Assuming axios didn't have a postinstall script before, it wouldn't have been approved for a previous version. If you ignore it, you ignore it, but postinstall scripts are relatively rare in npm deps, so it would seem a bit out of place when the warning pops up.
      • arcfour 36 minutes ago
        The prompt would be to approve the new malicious package (plain-crypto-js)'s scripts, too, which could tip users off that something was fishy. If they were used to approving one for axios and the attackers had just overwrote axios's own instead of making a new package, it would probably catch people out.
      • h4ch1 33 minutes ago
        Can't speak for other devs but I like to read postinstall scripts or at least put them through an LLM if they're too hard to grok.

        It's also a little context dependent, for example if I was using Axios and I see a prompt to run the plain-crypto-js postinstall script, alarm bells would instantly ring, which would at least make me look up the changelog to see why this is happening.

        In most cases I don't even let them run unless something breaks/doesn't work as expected.

    • martmulx 1 hour ago
      Does pnpm block postinstall on transitive deps too or just top-level? We have it configured at work but I've never actually tested whether it catches scripts from packages that get pulled in as sub-dependencies.
      [-]
      • arcfour 33 minutes ago
        It prompts for transitive dependencies, too. I have never had workerd as a direct dependency of any project of mine but I get prompted to approve its postinstall script whenever I install cloudflare's wrangler package (since workerd needs to download the appropriate Workers runtime for your platform).
      • dawnerd 1 hour ago
        From what I can tell, it blocks it everywhere.
  • vsgherzi 55 minutes ago
    Not to beat a dead horse but I see this again and again with dependencies. Each time I get more worried that the same will happen with rust. I understand the fat std library approach won’t work but I really still want a good solution where I can trust packages to be safe and high quality.
    [-]
    • pier25 20 minutes ago
      If the fat std library is not viable you can only increase security requirements.

      Axios has like 100M downloads per week. A couple of people with MFA should have to approve changes before it gets published.

    • rectang 48 minutes ago
      Hosting curated dependencies is a commercially valuable service. Eventually an economy arises where people pay vendors to vet packages.
      [-]
      • tankenmate 22 minutes ago
        It already exists; cloudsmith
    • brigandish 15 minutes ago
      An alternative:

      - copy the dependencies' tests into your own tests

      - copy the code in to your codebase as a library using the same review process you would for code from your own team

      - treat updates to the library in the same way you would for updates to your own code

      Apparently, this extra work will now not be a problem, because we have AI making us 10x more efficient. To be honest, even without AI, we should've been doing this from the start, even if I understand why we haven't. The excuses are starting to wear thin though.

  • wps 1 hour ago
    Genuinely how are you supposed to make sure that none of the software you have on your system pulls this in?

    It’s things like this that make me want to swap to Qubes permanently, simply as to not have my password manager in the same context as compiling software ever.

  • jadar 2 hours ago
    How much do you want to bet me that the credential was stolen during the previous LiteLLM incident? At what point are we going to have to stop using these package managers because it's not secure? I've got to admit, it's got me nervous to use Python or Node.js these days, but it's really a universal problem.
    [-]
    • rybosome 1 hour ago
      > it’s got me nervous to use Python or Node.js these days

      My feelings precisely. Min package age (supported in uv and all JS package managers) is nice but I still feel extremely hesitant to upgrade my deps or start a new project at the moment.

      I don’t think this is going to stabilize any time soon, so figuring out how to handle potentially compromised deps is something we will all need to think about.

      [-]
      • Tazerenix 1 hour ago
        NPM only gained minimum package age in February of this year, and still doesn't support package exclusions for internal packages.

        https://github.com/npm/cli/pull/8965

        https://github.com/npm/cli/issues/8994

        Its good that that they finally got there but....

        I would be avoiding npm itself on principle in the JS ecosystem. Use a package manager that has a history of actually caring about these issues in a timely manner.

      • arcfour 39 minutes ago
        PNPM makes you approve postinstall scripts instead of running them by default, which helps a lot. Whenever I see a prompt to run a postinstall script, unless I know the package normally has one & what it does, I go look it up before approving it.

        (Of course I could still get bitten if one of the packages I trust has its postinstall script replaced.)

    • crimsonnoodle58 16 minutes ago
      More like the Trivy incident (which led to the compromise of LiteLLM).
  • yoyohello13 8 minutes ago
    This is just going to get worse and worse as agentic coding gets better. I think having a big dependency tree may be a thing of the past in the coming years. Seems like eventually new malware will be coming out so fast it will basically be impossible to stop.
  • tkel 35 minutes ago
    83M weekly downloads! JS package managers (pnpm, bun) now will ignore postinstall scripts by default. Except for npm, it still runs them for legacy reasons.

    You should probably set your default to not run those scripts. They are mostly unnecessary.

      ~/.npmrc :
  ignore-scripts=true
  • jmward01 1 hour ago
    This may not be popular, but is there a place for required human actions or just timed actions to slow down things like this? For instance, maybe a GH action to deploy requires a final human click and to change that to cli has a 3 day cooling period with mandatory security emails sent out. Similarly, you switch to read only for 6 hrs after an email change. There are holes in these ideas but the basic concept is to treat security more like physical security, your goal isn't always to 100% block but instead to slow an attacker for xxx minutes to give the rest of the team time to figure out what is going on.
    [-]
    • ArcHound 1 hour ago
      Hi, security here. We've tried, but the amount of people you need for this vs the amount of people you have trying to review and click the big button always means that this step will be a bottleneck. Thus this step will be eliminated.

      A much better approach would be to pin the versions used and do intentional updates some time after release, say a sprint after.

      [-]
      • jmward01 1 hour ago
        Yeah, I am looking at that on the use end. It sounds like on the python side this type of thing will be more standard (uv now and soon pip supported with version date requirements). I think time is a big missing element in many security in depth decisions. It can be time until you adopt like use no package newer than xx days or time it takes to deploy etc etc. Unfortunately the ecosystem is getting really diverse and that means ever more sophisticated attacks so we may need to do things that are annoying just to survive.
      • themafia 46 minutes ago
        Why not just release escrow? If I try to push a new release version another developer or developers have to agree to that release. In larger projects you would expect the release to be coordinated or scheduled anyways. Effectively we're just moving "version pinning" or "version delay" one layer up the release chain.
  • woeirua 1 hour ago
    Supply chain attacks are so scary that I think most companies are going to use agents to hard fork their own versions of a lot of these core libraries instead. It wasn’t practical before. It’s definitely much more doable today.
  • acheong08 57 minutes ago
    There are so many scanners these days these things get caught pretty quick. I think we need either npm or someone else to have a registry that only lets through packages that pass these scanners. Can even do the virustotal thing of aggregating reports by multiple scanners. NPM publishes attestation for trusted build environments. Google has oss-rebuild.

    All it takes is an `npm config set` to switch registries anyways. The hard part is having a central party that is able to convince all the various security companies to collaborate rather than having dozens of different registries each from each company.

    Rather than just a hard-coded delay, I think having policies on what checks must pass first makes sense with overrides for when CVEs show up.

    (WIP)

    [-]
    • drum55 21 minutes ago
      The ones you hear about are caught quickly, I’m more worried about the non obvious ones. So far none of these have been as simple as changing a true to a false and bypassing all auth for all products or something, and would that be caught by an automated scanner?
  • himata4113 1 hour ago
    I recommend everyone to use bwrap if you're on linux and alias all package managers / anything that has post build logic with it.

    I have bwrap configured to override: npm, pip, cargo, mvn, gradle, everything you can think of and I only give it the access it needs, strip anything that is useless to it anyway, deny dbus, sockets, everything. SSH is forwarded via socket (ssh-add).

    This limits the blast radius to your CWD and package manager caches and often won't even work since the malware usually expects some things to be available which are not in a permissionless sandbox.

    You can think of it as running a docker container, but without the requirement of having to have an image. It is the same thing flatpak is based on.

    As for server deployments, container hardening is your friend. Most supply chain attacks target build scripts so as long as you treat your CI/CD as an untrusted environment you should be good - there's quite a few resources on this so won't go into detail.

    Bonus points: use the same sandbox for AI.

    Stay safe out there.

    [-]
    • vips7L 30 minutes ago
      AFAIK maven doesn’t support post install logic like npm does. You have to explicitly optin with build plugins. It doesn’t let any arbitrary dependency run code on your machine.
  • leventhan 8 minutes ago
    PSA: Make sure to set a minimum release age and pin versions where possible.
  • bluepeter 1 hour ago
    Min release age sucks, but we’ve been here before. Email attachments used to just run wild too, then everyone added quarantine delays and file blocking and other frictions... and it eventually kinda/sorta worked. This does feel worse, though, with fewer chokepoints and execution as a natural part of the expectation.

    Edit: bottom line is installs are gonna get SOOO much more complicated. You can already see the solution surface... Cooling periods, maintainer profiling, sandbox detonation, lockfile diffing, weird publish path checks. All adds up to one giant PITA for fast easy dev.

    [-]
    • mayama 48 minutes ago
      Min release age might just postpone vulnerability to be applied few days later in non trivial cases like this. More I think about it, Odin lang approach of no package manager makes senses. But, for that approach won't work for Javascript as it needs npm package even for trivial things. Even vendoring approach like golang won't work with Javascript with the amount of churn and dependencies.
      [-]
  • Surac 33 minutes ago
    All these supply chain attacks make me nervous about the apps I use. It would be valuable info if an app used such dependencies, but on the other hand, programmers would cut their sales if they gave you this info.
  • marjipan200 2 hours ago
    Incident tracking:

    https://github.com/axios/axios/issues/10604

  • k4binSecurity 7 minutes ago
    local [fuction][Password and Key and DMS] Axes [Password and K [UserID] --1234567890-- [Hacking error Message -- Hello -- hacker typer --97283710-- Security
  • mtud 2 hours ago
    Supply chain woes continue
    [-]
  • dhruv3006 1 hour ago
    174025 dependents.
  • koolba 2 hours ago
    > Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project's normal GitHub Actions CI/CD pipeline.

    Doesn’t npm mandate 2FA as of some time last year? How was that bypassed?

    [-]
  • rtpg 1 hour ago
    Please can we just have a 2FA step on publishing? Do we really need a release to be entirely and fully automated?

    It won't stop all attacks but definitely would stop some of these

  • 0x500x79 1 hour ago
    Pin your dependencies folks! Audit and don't upgrade to every brand new version.
    [-]
    • onion2k 1 hour ago
      But also have a regular review of your dependencies to update them when necessary, because as bad as compromised packages may be things do have vulnerabilities occasionally, and upgrading things that are a long way out-of-date can be quite hard.
  • 8cvor6j844qw_d6 2 hours ago
    Should increase the delay to dependency updates.
    [-]
    • tonymet 1 hour ago
      Slow Russian roulette is still a losing strategy
      [-]
      • btown 1 hour ago
        It’s only a losing strategy if you assume everyone universally adopts the slow strategy, and no research teams spot it in the interim. For things with large splash radius, that’s unrealistic, so defenders have an information advantage.

        Makes actual security patches tougher to roll out though - you need to be vigilant to bypass the slowdown when you’re actually fixing a critical flaw. But nobody said this would be easy!

        [-]
        • esseph 1 hour ago
          > Makes actual security patches tougher to roll out though

          Yeah. 7 days in 2026 is a LONG TIME for security patches, especially for anything public facing.

          Stuck between a rock (dependency compromise) and a hard place (legitimate security vulnerabilities).

          Doesn't seem like a viable long-term solution.

      • neko_ranger 1 hour ago
        but wouldn't it work in this case? sure if a package was compromised for months/years it wouldn't save you

        but tell dependabot to delay a week, you'd sleep easy from this nonesense

  • tonymet 1 hour ago
    Has anyone tested general purpose malware detection on supply chains ? Like clamscan . I tried to test the LiteLLM hack but the affected packages had been pulled. Windows Defender AV has an inference based detector that may work when signatures have not yet been published
    [-]
    • jesse_dot_id 1 hour ago
      I second this question. I usually scan our containers with snyk and guarddog, and have wondered about guarddog in particular because it adds so much build time.
    • esseph 1 hour ago
      > Has anyone tested general purpose malware detection on supply chains ? Like clamscan

      You could use Trivy! /s

  • 0x1ceb00da 1 hour ago
    Coded has zero nom dependencies. Neat!
  • stevenmh 43 minutes ago
    [dead]
  • imrozim 1 hour ago
    [flagged]
    [-]
    • joshuat 1 hour ago
      Why would pinning the exact version in this case not have solved the problem? I agree `--ignore-scripts` would be a sensible default at this point, but my understanding is that this vulnerability exclusively impacts two newly released versions.
      [-]
      • bakugo 1 hour ago
        You're replying to an AI bot.
        [-]
        • joshuat 58 minutes ago
          -_- I love the internet
  • franciscop 1 hour ago
    [flagged]
    [-]
    • nkozyra 57 minutes ago
      No offense intended here, but this probably isn't the place to promote your package, given it's a story about a massive and incredibly popular dependency that managed to get got.
  • slopinthebag 2 hours ago
    It's reasons like this why I refuse to download Node or use anything NPM. Thankfully other languages are better anyways.
    [-]