There has been a supply chain attack on Axios, a popular HTTP client This article explores node js malware. . Two new versions of the npm package added a harmful dependency.

Axios versions 1.14.1 and 0.30.4 have been found to add "plain-crypto-js" version 4.2.1 as a fake dependency. The main Axios maintainer's ("jasonsaayman") hacked npm credentials were used to publish both versions. If you have Axios versions 1.13.1 or 0.29.4 installed, you need to change your passwords and secrets right away and go back to a safe version. You can no longer download the bad versions from Node.

The embedded malware, on the other hand, is started by a hidden Node.js dropper and is meant to split into one of three attack paths depending on the operating system.

StepSecurity: Two types of Node.js malware use a fake dependency called plain-crypto-js@4.2.1 to run a postinstall script that installs a cross-platform remote access trojan (RAT). To find out if their account has been hacked, users should do the following: Look for the bad Axios versions. Look for RAT files: "/Library/Caches/com.apple.act.mond" (macOS), "#PROGRAMDATA%\wt.exe" (Windows), and "/tmp/ld.py" (Linux).

If you find them, go back to Axios version 1.14.0 or 0.30.3.0. @shadanai/openclaw.Socket found two more packages that were spreading the same malware through dependencies that were sold separately. @qqbrowser/openclaw-qbot (version 0.0-0.130)