A hacker hijacked and modified a popular open-source software development tool to deliver malware, putting millions of developers at risk of compromise. On Monday, malicious versions of the widely used JavaScript library Axios were pushed to developers. This library is relied upon to allow software to connect to the internet. The affected code was hosted on npm, a major repository for open-source projects. Axios is downloaded tens of millions of times every week.
The hijack was spotted and stopped in approximately three hours overnight from Monday into Tuesday, according to a security firm that analyzed the attack. Hackers are increasingly targeting developers of popular open-source projects in an effort to mass-hack anyone who relies on the compromised code. This could grant hackers access to vast numbers of affected devices. These widespread breaches are called supply chain attacks because they target software that allows hackers to then compromise whoever downloaded it.
In recent years, hackers have targeted companies and open source tools to target large numbers of their users. It is unclear how many people downloaded the malicious version of Axios during the brief timespan it was live. Another security company that investigated the incident said anyone who downloaded the code should assume their system is compromised.
The hacker was able to insert malicious code into Axios by compromising the account of one of the project’s primary developers, who was authorized to push updates. The hacker replaced the legitimate developer’s email address on the account with their own, making it more difficult for the developer to regain access.
Once in control, the hacker inserted code designed to deliver a remote access trojan, or RAT. This malware can give hackers full, remote control of a victim’s computer. The hacker then pushed out new versions of Axios in a legitimate-looking update for Windows, macOS, and Linux users. According to security researchers, the malware and some of the delivery code were designed to automatically delete themselves after installation in an attempt to evade detection by anti-malware engines and investigators.