Full Report
KEY OBSERVATIONS Malicious Package Versions Identified: Malicious versions of the Axios npm package ([email protected] and [email protected]) were observed within a customer’s environment, indicating exposure to the supply chain compromise. Suspicious Dependency Execution: The presence of an unauthorized dependency was identified, which executed a postinstall script during npm installation, triggering the initial stage of the infection. Abnormal Process Execution Chain: Multiple systems exhibited suspicious parent-child process relationships where npm or node spawned command interpreters such as cmd.exe, powershell.exe, followed by execution of network utilities like curl or wget. Post-exploitation activities detected by LevelBlue: LevelBlue’s Cybereason Defense Platform generated detections associated with post-install script execution, abnormal process (renamed PowerShell) spawning, and suspicious outbound network communication, indicating successful exploitation and potential remote access trojan (RAT) deployment on affected systems.
Analysis Summary
# Incident Report: Axios NPM Package Supply Chain Compromise
## Executive Summary
A supply chain attack targeted the popular `axios` npm package, where malicious versions (1.14.1 and 0.30.4) were published to the public registry. The compromise allowed for the execution of unauthorized post-install scripts that deployed a Remote Access Trojan (RAT) on development and production systems. LevelBlue detected the infection through abnormal process chains involving Node.js spawning PowerShell and curl to download secondary payloads.
## Incident Details
- **Discovery Date:** Not explicitly specified (Report published October 2024)
- **Incident Date:** October 2024
- **Affected Organization:** Multiple (Customer environments monitored by LevelBlue)
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** October 2024
- **Vector:** Supply Chain Compromise
- **Details:** Threat actors published malicious versions of the `axios` package (v1.14.1 and v0.30.4). When developers or CI/CD pipelines updated or installed these versions, a malicious `postinstall` script was automatically triggered.
### Lateral Movement
- **Details:** The report highlights the deployment of a Remote Access Trojan (RAT). While specific lateral movement steps were not detailed, the RAT provided the capability for attackers to traverse the network from the initial compromised workstation or server.
### Data Exfiltration/Impact
- **Details:** Successful deployment of a RAT allows for credential theft, source code exfiltration, and persistent access to the organization's development infrastructure.
### Detection & Response
- **Detection:** LevelBlue’s Cybereason Defense Platform identified abnormal process behaviors, specifically `node.exe` spawning `cmd.exe` or `powershell.exe`.
- **Response:** Security teams initiated hunting queries to identify the presence of malicious files (e.g., `6202033.ps1`) and blocked suspicious outbound network communications.
## Attack Methodology
- **Initial Access:** Supply chain attack via poisoned npm packages (`[email protected]`, `[email protected]`).
- **Persistence:** Implementation of scripts via npm `postinstall` hooks; deployment of a RAT.
- **Defense Evasion:** Use of renamed PowerShell executables and execution of scripts from `AppData\Local\Temp`.
- **Discovery:** Execution of network utilities like `curl` and `wget` to map environment connectivity.
- **Exfiltration:** Potential exfiltration via suspicious outbound network communication to attacker-controlled infrastructure.
- **Impact:** Deployment of a Remote Access Trojan (RAT) for full system control.
## Impact Assessment
- **Financial:** High potential cost due to remediation, forensic investigation, and potential loss of intellectual property.
- **Data Breach:** Exposure of environment variables, credentials, and source code managed on compromised systems.
- **Operational:** Disruption of development workflows and CI/CD pipelines as packages had to be rolled back/vetted.
- **Reputational:** High risk for organizations unknowingly distributing software containing the malicious dependency.
## Indicators of Compromise
- **Network Indicators:**
- Suspicious outbound calls to external IPs via `curl` or `wget` (Defanged: hxxp[://]unauthorized-host[.]com/payload)
- **File Indicators:**
- `6202033.ps1`
- `6202033.vbs`
- Malicious `axios` versions: `1.14.1`, `0.30.4`
- **Behavioral Indicators:**
- `npm` or `node.exe` spawning `cmd.exe` or `powershell.exe`.
- Command lines containing `AppData\Local\Temp` linked to npm installations.
- Presence of `packages.npm` or URLs in command-line arguments of shell processes.
## Response Actions
- **Containment:** Isolated affected systems exhibiting the abnormal process chain.
- **Eradication:** Removed malicious `axios` package versions and deleted temporary scripts (`.ps1`, `.vbs`) from temp directories.
- **Recovery:** Reverted to known-secure versions of the `axios` library (e.g., 1.x or lower stable versions).
## Lessons Learned
- **Supply Chain Vulnerability:** Even highly trusted packages like `axios` can be compromised; blind trust in minor version updates is a significant risk.
- **Observability:** Rapid detection was only possible due to behavioral monitoring of process parent-child relationships (Node -> Shell).
## Recommendations
- **Lockfile Integrity:** Use `package-lock.json` or `yarn.lock` and verify checksums during build processes.
- **Dependency Pinning:** Avoid using wildcards (e.g., `^` or `~`) for critical dependencies; pin to specific, vetted versions.
- **Script Restrictions:** Run npm installs with the `--ignore-scripts` flag in environments where post-install scripts are not strictly required for functionality.
- **Egress Filtering:** Limit outbound internet access from build servers and production environments to only known-good update proxies.