The widely popular HTTP client Axios has been confirmed compromised in a critical supply chain attack. Malicious versions 1.14.1 and 0.30.4 were published to the npm registry containing obfuscated code designed to exfiltrate sensitive environment data.
For defenders, this is not a standard patch Tuesday scenario. This is a confirmed intrusion. Any environment where these specific versions were installed—whether in development, CI/CD pipelines, or production containers—must be treated as breached. The malicious payload targets .env files and runtime credentials, meaning simple patching leaves behind stolen credentials that remain valid. Immediate Incident Response (IR) protocols, including secret rotation and forensic analysis, are mandatory.
Technical Analysis
- Affected Products: Axios (JavaScript HTTP Client)
- Affected Platforms: Any system running Node.js and pulling from the public npm registry (Linux, Windows, macOS)
- Compromised Versions:
1.14.1,0.30.4 - Safe Versions: Update to the latest patched versions immediately (e.g.,
>=1.14.2or>=0.30.5). Verify integrity against the npm lockfile.
The Attack Chain
- Compromise: An attacker gained access to the Axios npm publisher account or automated release pipeline.
- Publication: Malicious package archives were published for versions
1.14.1and0.30.4. These versions appeared legitimate, passing standard dependency checks. - Execution: Upon execution (during build or runtime), the malicious code inside the Axios library triggers.
- Exfiltration: The payload scrapes the process environment variables (e.g.,
AWS_SECRET_ACCESS_KEY,DATABASE_URL,API_TOKENS) and transmits them to a remote attacker-controlled server. - Persistence: While the package itself acts as the persistence mechanism (running every time the app runs), the primary goal is data theft rather than system occupation.
Exploitation Status
Confirmed Active Exploitation. The Tenable advisory confirms the presence of these malicious versions in the wild. Given Axios' popularity (millions of weekly downloads), the blast radius is significant. Organizations should assume that if these versions were downloaded, secrets were already exfiltrated.
Detection & Response
Sigma Rules
The following Sigma rules detect the installation of the known malicious Axios versions via npm and yarn package managers.
---
title: Potential Installation of Malicious Axios Package - Windows
id: a1b2c3d4-5678-490a-bcde-1234567890ab
status: experimental
description: Detects execution of npm or yarn commands installing the compromised Axios versions (1.14.1 or 0.30.4) on Windows.
references:
- https://www.tenable.com/blog/supply-chain-attack-on-axios-npm-package-scope-impact-and-remediations
author: Security Arsenal
date: 2024/05/23
tags:
- attack.supply_chain
- attack.initial_access
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\npm.cmd'
- '\npm.exe'
- '\yarn.cmd'
- '\yarn.exe'
CommandLine|contains:
- 'install'
- 'add'
- 'update'
CommandLine|contains:
- 'axios@1.14.1'
- 'axios@0.30.4'
condition: selection
falsepositives:
- Legitimate development testing of specific versions (unlikely for these specific patched releases)
level: critical
---
title: Potential Installation of Malicious Axios Package - Linux
id: b2c3d4e5-6789-490a-bcde-2345678901bc
status: experimental
description: Detects execution of npm or yarn commands installing the compromised Axios versions (1.14.1 or 0.30.4) on Linux.
references:
- https://www.tenable.com/blog/supply-chain-attack-on-axios-npm-package-scope-impact-and-remediations
author: Security Arsenal
date: 2024/05/23
tags:
- attack.supply_chain
- attack.initial_access
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/npm'
- '/yarn'
CommandLine|contains:
- 'install'
- 'add'
- 'update'
CommandLine|contains:
- 'axios@1.14.1'
- 'axios@0.30.4'
condition: selection
falsepositives:
- Legitimate development testing of specific versions
level: critical
KQL (Microsoft Sentinel / Defender)
This query hunts for process execution logs indicating the installation of the malicious package versions. It covers both Windows (DeviceProcessEvents) and Linux (Syslog/CEF if npm logs are ingested).
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoOriginalFileName in ("npm.exe", "node.exe")
or ProcessVersionInfoCompanyName contains "npm, Inc."
or ProcessVersionInfoProductName contains "npm"
| where CommandLine has_any ("install", "add", "update")
| where CommandLine has_any ("axios@1.14.1", "axios@0.30.4")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| extend Reason = "Malicious Axios Installation Attempt"
Velociraptor VQL
This artifact hunts the file system for package. files within node_modules/axios that identify the installed version as one of the compromised releases.
-- Hunt for compromised Axios package. versions on disk
SELECT FullPath, Mtime, Atime,
read_file(filename=FullPath) AS Content
FROM glob(globs="**/node_modules/axios/package.")
WHERE Content =~ '"version"\s*:\s*"1.14.1"'
OR Content =~ '"version"\s*:\s*"0.30.4"'
Remediation Script (Bash)
This script scans a directory for compromised package-lock. files or node_modules installations and provides guidance for remediation. Note: If compromise is confirmed, the host must be quarantined and secrets rotated.
#!/bin/bash
echo "Scanning for compromised Axios versions (1.14.1, 0.30.4)..."
# Scan package-lock. files for the bad versions
echo "Checking package-lock. files..."
find . -name "package-lock." -type f -exec grep -l '"axios"' {} \; | while read -r file; do
if grep -q '"axios".*"1.14.1"' "$file" || grep -q '"axios".*"0.30.4"' "$file"; then
echo "[!] COMPROMISED lockfile found: $file"
fi
done
# Scan installed node_modules for the bad versions via package.
echo "Checking installed node_modules..."
find . -path "*/node_modules/axios/package." -type f -exec grep -l '"version"' {} \; | while read -r file; do
if grep -q '"version".*"1.14.1"' "$file" || grep -q '"version".*"0.30.4"' "$file"; then
echo "[!] COMPROMISED installation found at: $(dirname "$file")"
fi
done
echo "Scan complete."
echo "REMEDIATION:"
echo "1. Delete the 'node_modules' directory in affected projects."
echo "2. Update package. to require axios >= 1.14.2 or >= 0.30.5."
echo "3. Run 'npm install' to rebuild dependencies."
echo "4. CRITICAL: Rotate ALL API keys, secrets, and credentials used by the application."
Remediation
1. Immediate Containment and Purging If the malicious versions are detected:
- Quarantine Hosts: Isolate affected build servers and production containers from the network immediately to stop ongoing exfiltration.
- Purge Artifacts: Delete
node_modulesdirectories entirely. Do not attempt to "update" in place; remove the directory. - Sanitize Source: Ensure your source
package.does not pin these versions. Pin to a safe major/minor version (e.g.,"axios": "^1.14.2").
2. Credential Rotation (Priority 0)
- Assume all environment variables accessible to the compromised application have been stolen.
- Rotate all secrets: Database credentials, AWS/Azure/GCP access keys, third-party API keys (Stripe, Twilio, etc.), and internal service tokens.
- Review access logs for these accounts between the time of installation and remediation for signs of misuse.
3. Dependency Review
- Audit your
package-lock.andyarn.lockfiles to ensure no other dependencies have been altered. - Implement Software Bill of Materials (SBOM) scanning in your CI/CD pipeline to catch malicious version releases automatically in the future.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.