The biggest story of the week is a new massive supply chain breach, which appears to be unrelated to the previous massive supply chain breaches, this time of the Axios HTTP project.

Axios was created as a more developer-friendly Javascript HTTP interface for node.js, giving a promise-based API instead of the basic callback API. (Promise-based programming allows for simpler coding workflows, where a program can wait for a promise to be fulfilled, instead of the developer having to manage the state of every request manually.) Javascript has since provided a modern Fetch API that provides similar functionality, but Axios remains one of the most popular packages on the node.js NPM repository, with 100 million weekly downloads.

The lead developer of Axios believes he was compromised by a collaboration request – a common tactic for phishing specific targets: a project for an IDE like VS Code can include code that executes on the developers system when the project is run. Even outside a traditional IDE, common development tools like configure scripts and makefiles can easily run commands.

Socket.dev breaks down the attack in detail. Once the attackers had credentials to publish to the Axios NPM, they inserted malware as a new dependency to Axios, instead of modifying Axios itself. This likely helped the attack bypass other security checkers. The dependency – plain-crypto-js – is itself simply a copy of a popular encryption utility library, but one which executes additional code during the post-installation process available to all NPM packages. Continue reading “This Week In Security: The Supply Chain Has Problems” →