Summarizer

Anti-forensics techniques

Detailed analysis of how the malware deleted itself and replaced package.json with a clean stub reporting a different version number to evade detection

← Back to Axios compromised on NPM – Malicious versions drop remote access trojan

The malware exploits a critical security gap where local developer environments trigger malicious `postinstall` scripts that CI systems often bypass, deploying a sophisticated cross-platform Remote Access Trojan. Its most striking feature is a "gaslighting" anti-forensics technique that rewrites its own `package.json` to report a safe version number, tricking incident responders into believing the system is uncompromised. This ingenuity highlights a dangerous attack surface where packages can modify their own content during installation, a risk further compounded by agentic coding tools that run commands without human oversight. Ultimately, detection requires looking past standard package lists to hunt for specific file artifacts and network logs, as traditional audit tools are easily deceived by the malware's self-cleansing stubs.

4 comments tagged with this topic

View on HN · Topics
Ran npm ci --ignore-scripts in our CI for months but never thought about local dev. Turns out that's the gap, your CI is safe but your laptop runs postinstall on every npm install. The anti-forensics here are much more complicated that I had imagined. Sahring after getting my hands burned. After the RAT deploys, setup.js deletes itself and swaps package.json with a clean stub. Your node_modules looks fine. Only way to know is checking for artifacts: /Library/Caches/com.apple.act.mond on mac, %PROGRAMDATA%\wt.exe on windows, /tmp/ld.py on linux. Or grep network logs for sfrclak.com. Somehow noboady is worried about how agentic coding tools run npm install autonomously. No human in the loop to notice a weird new transitive dep. That attack surface is just getting worsened day by day.
View on HN · Topics
A command to recursively check for the compromised axios package version: find / -path '*/node_modules/axios/package.json' -type f 2>/dev/null | while read -l f; set -l v (grep -oP '"version"\s*:\s\*"\K(1\.14\.1|0\.30\.4)' $f 2>/dev/null); if test -n "$v"; printf '\a\n\033[1;31m FOUND v%s\033[0m \033[1;33m%s\033[0m\n' $v (string replace '/package.json' '' -- $f); else; printf '\r\033[2m scanning: %s\033[K\033[0m' (string sub -l 70 -- $f); end; end; printf '\r\033[K\n\033[1;32m scan complete\033[0m\n'
View on HN · Topics
Absolutely. If you ever did a npm install on a project using one of the affected axios versions, your entire system may be compromised. > The malicious versions inject a new dependency, [email protected] , which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection. I strongly recommend you read the entire article.
View on HN · Topics
> This creates a secondary deception layer. After infection, running npm list in the project directory will report [email protected] — because npm list reads the version field from the installed package.json, which now says 4.2.0. An incident responder checking installed packages would see a version number that does not match the malicious 4.2.1 version they were told to look for, potentially leading them to conclude the system was not compromised. WTF!!!! gaslighting your victims into believing they are not victims. the ingenuity of this is truly mindblowing. I am shocked at such thing is even allowed. like packages should not be able to modify their contents while they are being instaleld.