Resolved -
Dear Customers, Following recent reports regarding the Axios NPM package compromise, we have continued our threat-focused hunting efforts, specifically reviewing IOC hits and related TTPs associated with this campaign. Axon reports have been published for Team Axon customers. These reports include:
A consolidated list of relevant IOCs Threat hunting queries Threat hunting results across applicable environments Any findings that may require your attention are highlighted within your Axon report. If you have any questions or require further assistance, please do not hesitate to reach out. Best regards, Team Axon
Mar 31, 15:56 UTC
Identified -
Dear Customers,
Team Axon is actively monitoring a recent supply chain compromise affecting the widely used NPM package axios, which introduces significant risk across enterprise environments relying on this dependency.
Axios Compromise: Malicious versions of the axios package were published to NPM, embedding a remote access trojan. These versions were capable of establishing outbound connections to attacker-controlled infrastructure, enabling remote command execution and potential data exfiltration from affected systems.
The compromise is particularly concerning due to Axios’s widespread use in both frontend and backend applications, increasing the likelihood of downstream impact across development pipelines and production environments.
This incident exposes organizations to: - Unauthorized remote access to affected systems through embedded backdoor functionality. - Execution of attacker-controlled commands within application environments. - Potential exfiltration of sensitive data, including credentials and application data. - Supply chain propagation through dependent applications and services.
Our team continues to assess the scope and technical details of this compromise. In case we identify strong indications of exposure within your environment, we will reach out directly.
For further assistance or validation, please contact us.
File Hashes: 2553649f2322049666871cea80a5d0d6adc700ca d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71 07d889e2dadce6f3910dcbc253317d28ca61c766
Mar 31, 11:40 UTC