Summarizer

Cross-platform RAT payloads

Technical analysis of the malware's macOS (AppleScript), Windows (VBScript/PowerShell), and Linux (Python) specific payloads and persistence mechanisms

← Back to Axios compromised on NPM – Malicious versions drop remote access trojan

A sophisticated supply chain attack targeting the `axios` package has exposed users to cross-platform remote access trojans (RATs) delivered through a hidden dependency and malicious post-install scripts. While technical community members are sharing specialized shell commands to detect these stealthy payloads, the breach highlights a critical lack of "secure by default" protections within the npm ecosystem and desktop Linux environments. This incident serves as a stark warning that Linux is not immune to malware, with critics arguing that its current security model lags decades behind in protecting users from such coordinated, multi-platform threats.

4 comments tagged with this topic

View on HN · Topics
A command to recursively check for the compromised axios package version: find / -path '*/node_modules/axios/package.json' -type f 2>/dev/null | while read -l f; set -l v (grep -oP '"version"\s*:\s\*"\K(1\.14\.1|0\.30\.4)' $f 2>/dev/null); if test -n "$v"; printf '\a\n\033[1;31m FOUND v%s\033[0m \033[1;33m%s\033[0m\n' $v (string replace '/package.json' '' -- $f); else; printf '\r\033[2m scanning: %s\033[K\033[0m' (string sub -l 70 -- $f); end; end; printf '\r\033[K\n\033[1;32m scan complete\033[0m\n'
View on HN · Topics
Absolutely. If you ever did a npm install on a project using one of the affected axios versions, your entire system may be compromised. > The malicious versions inject a new dependency, [email protected] , which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection. I strongly recommend you read the entire article.
View on HN · Topics
Hopefully desktop Linux users will start to understand that malware actually does exist for Linux and that their operating system is doing nothing to protect them from getting RATed.
View on HN · Topics
Yet npm isn't using them allowing this RAT to work. It is not secure by default. It requires every app to manually opt in to being secure. This opt in approach to security puts desktop Linux decades behind in regards to security. Not ahead.