Introduction
In a disturbing development for the JavaScript ecosystem, the widely used axios npm package—the most popular HTTP client for Node.js—has been confirmed as the victim of a supply chain attack. Malicious actors published new versions of the package (1.14.1 and 0.30.4) containing obfuscated code designed to steal sensitive environment data.
For defenders, this is not just a patch Tuesday scenario; it is a confirmed active exploitation event. Any environment that pulled these specific versions is effectively compromised. This blog post outlines the technical mechanics of the attack, provides detection rules for your security stack, and details the immediate incident response steps required to contain the breach.
Technical Analysis
The Vulnerability
This incident is a classic software supply chain attack. It appears that the attackers compromised the maintainer's credentials or the publishing pipeline, allowing them to upload new versions that masquerade as legitimate patches. The malicious versions are:
- axios version 1.14.1
- axios version 0.30.4
Impact and Payload
The malicious code embedded in these versions is engineered to exfiltrate sensitive data. Upon execution, the script attempts to read environment variables (often containing API keys, database credentials, and cloud secrets) and sends them to a remote attacker-controlled server. Given Axios's widespread use in cloud-native applications, serverless functions, and CI/CD pipelines, the exposure of credentials is the primary risk.
Severity
CVSS Severity: Critical (CVSS Score 10.0 estimated) This is a high-severity event because the attack runs with the privileges of the application consuming the package, often leading to full system compromise in the context of that application or lateral movement using stolen cloud credentials.
Patch and Fix Status
The compromised versions have been removed from the npm registry. However, simply "updating" to the latest version is insufficient if the malicious code has already executed. The fixed versions are those excluding 1.14.1 and 0.30.4 (e.g., 1.14.0 or newer non-malicious releases).
Defensive Monitoring
Defenders must assume that any system running these versions has already been breached. The following detection mechanisms will help identify vulnerable hosts and signs of active data exfiltration.
SIGMA Detection Rules
The following SIGMA rules can be deployed to your SIEM (e.g., Splunk, Elastic, QRadar) to detect the installation of the malicious package or the subsequent suspicious process execution.
---
title: Potential Installation of Malicious Axios NPM Package
id: 6a8c9d10-1b2e-4c3d-9e0f-123456789abc
status: experimental
description: Detects the installation of the specific malicious Axios versions (1.14.1 or 0.30.4) via npm, yarn, or pnpm.
references:
- https://www.tenable.com/blog/supply-chain-attack-on-axios-npm-package-scope-impact-and-remediations
author: Security Arsenal
date: 2024/12/10
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\node.exe'
- '\npm.cmd'
- '\yarn.cmd'
- '\pnpm.cmd'
Image|endswith:
- '\npm.cmd'
- '\yarn.cmd'
- '\pnpm.cmd'
- '\node.exe'
CommandLine|contains:
- 'axios@1.14.1'
- 'axios@0.30.4'
- 'axios@1.14.1 '
- 'axios@0.30.4 '
condition: selection
falsepositives:
- Developers testing specific package versions in a sandbox
level: critical
---
title: Node.js Spawning Suspicious Shell Process
id: b7c8d9e0-f1a2-3456-bcde-f01234567890
status: experimental
description: Detects Node.js spawning a shell or powershell, a common behavior in malicious npm packages like the Axios supply chain attack to steal credentials.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2024/12/10
tags:
- attack.execution
- attack.t1059.003
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\node.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate build scripts or development tools
level: high
KQL Queries (Microsoft Sentinel / Defender)
Use these KQL queries to hunt for indicators of compromise within your Microsoft environment.
// Hunt for installation of malicious Axios versions
DeviceProcessEvents
| where ProcessCommandLine has "axios"
| where ProcessCommandLine has "1.14.1" or ProcessCommandLine has "0.30.4"
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
// Hunt for Node.js spawning shell processes (potential data exfiltration)
DeviceProcessEvents
| where InitiatingProcessFileName =~ "node.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine
Velociraptor VQL Hunt
For endpoint visibility, use these Velociraptor hunts to scan for the presence of the malicious package files or versions in node_modules.
-- Hunt for package. files referencing malicious Axios versions
SELECT FullPath, Data.Content
FROM glob(globs='**/node_modules/axios/package.')
WHERE Data.Content =~ '1.14.1' OR Data.Content =~ '0.30.4'
-- Hunt for suspicious recent npm install logs
SELECT FullPath, Mtime
FROM glob(globs='**/npm-debug.log*')
WHERE Mtime > now() - 7d
AND read_file(filename=FullPath) =~ 'axios@1.14.1'
Remediation and Verification Scripts
Bash Script (Linux/Mac):
#!/bin/bash
# Check for malicious axios versions in current directory tree
echo "Scanning for malicious Axios versions..."
find . -type f -name "package." -exec grep -l '"axios"' {} \; | while read file; do
if grep -E '"axios":\s*"(1\.14\.1|0\.30\.4)"' "$file" > /dev/null; then
echo "[MALICIOUS] Found compromised version in: $file"
fi
done
**PowerShell Script (Windows):**
powershell
# Scan for malicious package. entries
Get-ChildItem -Path . -Recurse -Filter "package." -ErrorAction SilentlyContinue | ForEach-Object {
$content = Get-Content $_.FullName -Raw
if ($content -match '"axios".*"(1\.14\.1|0\.30\.4)"') {
Write-Host "[ALERT] Malicious Axios version found in: $($_.FullName)" -ForegroundColor Red
}
}
Remediation Steps
If your environment is affected, you must treat this as a full security incident, not a routine maintenance task.
-
Immediate Quarantine: Identify any hosts where the malicious versions (
1.14.1or0.30.4) are present. Isolate these hosts from the network immediately to prevent further data exfiltration. -
Rotate All Secrets: Assume all credentials (AWS/Azure/GCP keys, database passwords, private API keys) stored in environment variables on affected hosts are compromised. Rotate them immediately.
-
Audit CI/CD Pipelines: Check your build logs. If these versions were pulled into a CI/CD pipeline, your build artifacts or deployment credentials may be compromised.
-
Sanitize and Rebuild: Do not simply run
npm update.- Delete the
node_modulesfolder andpackage-lock./yarn.lock. - Audit your
package.to ensure it does not pin to the malicious versions. - Reinstall dependencies using a verified, clean version (e.g., explicitly pin to
1.4.0or the latest verified safe version).
- Delete the
-
Threat Hunt: Review network logs from the time of installation for outbound connections to unknown or suspicious domains associated with the data exfiltration payload.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.