Particle.news
Download on the App Store
12 ARTICLES
·
5h ago

Axios npm Package Briefly Trojanized After Maintainer Account Takeover

The case shows how a single maintainer breach can push malware to millions.

Abstract blue and grey digital painting of a turbulent storm, symbolizing the new front line of software supply chain security and CI/CD pipeline vulnerabilities mentioned in the TeamPCP attack analysis.
Image
Image
Image

Overview

  • Axios, which saw two trojanized releases go live Tuesday, was compromised when the lead maintainer’s device and npm account were hijacked.
  • The malicious versions 1.14.1 and 0.30.4 added a dependency named plain-crypto-js whose install script fetched a cross‑platform remote access tool and called out to sfrclak[.]com and 142.11.206.73.
  • The packages were removed in about three hours, and users are urged to roll back to 1.14.0 or 0.30.3, delete plain-crypto-js, rotate all credentials, and check logs for the listed network beacons.
  • The maintainer described a tailored social‑engineering setup using fake Slack and Microsoft Teams invites that led to a RAT on his PC, with reporting linking the tradecraft to the UNC1069 group.
  • Investigators and vendors say this mirrors a wider run of supply‑chain attacks on CI pipelines and registries, and projects are shifting to OIDC-based publishing, immutable releases, and pre‑install checks to cut the exposure window.