A hacker compromised a widely used open-source software development tool, posing a risk of malware delivery to millions of developers.
On Monday, a hacker released malicious versions of the popular JavaScript library Axios, which assists developers in connecting their software to the internet. This library is available on npm, a repository for open-source projects, and Axios is downloaded tens of millions of times weekly.
According to StepSecurity, the attack was detected and halted within approximately three hours overnight from Monday to Tuesday. These attacks are termed supply chain attacks because they target software that, once compromised, allows hackers access to whoever downloads it. Hackers have used this method in recent attacks on firms and open-source tools like 3CX, Kaseya, SolarWinds, Log4j, and Polyfill.io.
It’s uncertain how many developers downloaded the malicious Axios version during this timeframe. Aikido, another security company, advises that anyone who downloaded it should consider their system compromised.
The hacker breached one of the Axios project’s primary developer accounts, thereby integrating malicious code and releasing new updates for Windows, macOS, and Linux users. This code was designed to install a remote access trojan, granting hackers complete control of a system. The malware was also programmed to delete itself post-installation to evade detection.