Axios Software Tool Used by Millions Compromised in Hack

Axios, a tool widely used to develop software applications, was compromised overnight, introducing a vulnerability in a key part of the internet’s plumbing.

An unknown hacker was able to breach one of the few accounts that can release new versions of Axios late Monday and published malicious versions of it. Axios, or Axios NPM, is a client that software developers use to send requests to servers — allowing software to connect to the web — and is downloaded about 80 million times every week. NPMs are reusable packages of code that make it faster to develop software.

The hacked code was live for about three hours before it was discovered and removed from circulation. The extent of the damage and the purpose of the breach is still unclear.

The malicious code could be used to breach major operating systems including Windows, MacOS and Linux, according to John Hammond, senior principal security researcher at the cybersecurity firm Huntress. “The scope of this compromise is significant” because of how widespread the Axios product is, he said. Anyone who has downloaded the malicious version of Axios could then have their own computer — and the data stored on it — stolen by hackers.

This type of supply-chain hack — where a bad actor gets into a system through a vulnerability in a third party — has become more common in recent years. In 2020, a suspected Russian state sponsored group breached software manufactured by the US company SolarWinds and deployed a malicious update, which led to follow-on compromises at nine US government agencies and about 100 companies.

“The primary concern is no longer initial access alone, but the potential blast radius and the extent of any compromise already established,” Jon Robertson, managing director at Australian cybersecurity firm Tarian Cyber, said in an email.

Robertson and Hammond each said they’d seen an impact from the attack by Tuesday morning. Robertson said software development companies and internal developers had been affected by the hack. Hammond had identified at least 135 compromised computers.

Rafe Pilling, director of threat intelligence in the Sophos Counter Threat Unit, described the incident as serious but said the damage appeared to have been limited. “Fortunately it was detected early which has likely blunted the intended impact,” he said.

Axios is maintained by a community of contributors on the Github platform, rather than by a single company, and its code can be viewed by anyone. The hackers targeted one of the main developers responsible for maintaining it, breaching his Github account, according to researchers who examined the attack, including StepSecurity.

The attack, designed to cover the hacker’s tracks, was one of the “most operationally sophisticated supply chain attacks” ever documented against a large NPM, according to the StepSecurity analysis. The attackers created a system to install a harmful script before self destructing, hiding the attack from developers inspecting the code. “This was not opportunistic. It was precision,” the research said.

Photo: Photo by Sean Gallup/Getty Images