Axios Security Breach: Remove the Remote Access Trojan Now
Axios Security Alert: How to Remove the Remote Access Trojan From Your Code
Axios versions 1.14.1 and 0.30.4 are compromised. A malicious supply chain attack has injected a Remote Access Trojan (RAT) into these specific releases. This library has over 100 million weekly downloads, making this a major threat to the JavaScript ecosystem.
The attack happened after a maintainer's NPM account was hacked. The attacker added a rogue dependency called plain-crypto-js. This package triggers a hidden script when you run npm install.
How the Attack Works
The malicious code uses a postinstall hook. It runs a file named setup.js as soon as the package installs. This script checks if you use macOS, Windows, or Linux. It then downloads a second payload from a remote server. This payload gives the attacker remote access to your machine.
After the RAT is installed, the script deletes the setup files. It even modifies your package.json to hide the evidence. A standard security audit might not find it after the infection is complete.
What is at Risk?
The attacker can steal any sensitive data stored on your computer or server. This includes:
AWS and cloud access keys.
OpenAI API keys.
Environment variables from .env files.
SSH keys and private certificates.
How to Check Your System
Look for these signs of infection immediately:
Check your package.json for Axios version 1.14.1 or 0.30.4.
Check your node_modules folder for a package named plain-crypto-js.
On macOS, look for the file: ~/Library/Caches/com.apple.act.mond.
On Linux, look for: /tmp/ld.py.
On Windows, look for wt.exe in your Program Data folder.
Immediate Action Steps
If you find these files, your system is compromised. Follow these steps to recover:
Rotate all keys: Change every API key, password, and token accessible from that machine.
Downgrade Axios: Revert to version 1.14.0 or 0.30.3.
Use Overrides: Force your package manager to ignore the malicious versions.
Clean Reinstall: Delete your node_modules and reinstall using the --ignore-scripts flag.
This incident shows the danger of relying on third party libraries. While Axios offers great developer experience (DX), native tools like the Fetch API are often safer. Always monitor your dependencies and use security tools to watch for malicious install hooks.
Always add in blockquotes if you need some help with software feel free to reach out to me via https://www.fortesglobalweb.nl
Join the conversation
"This is for the developers on my connection list. Axios just got hit by a major supply chain attack. If you use versions 1.14.1 or 0.30.4, your system may be infected with a Remote Access Trojan (RAT..."
"This is for the developers on my connection list. Axios just got hit by a major supply chain attack. If you use versions 1.14.1 or 0.30.4, your system may be infected with a Remote Access Trojan (RAT..."
"This is for the developers on my connection list. Axios just got hit by a major supply chain attack. If you use versions 1.14.1 or 0.30.4, your system may be infected with a Remote Access Trojan (RAT..."