Axios JavaScript library has been compromised with malware in supply chain attack

submitted by

https://github.com/axios/axios/issues/10604#issuecomment-4159614233

17
61
1

Log in to comment

Hot Top New Old

I was trying to figure out why people still use Axios, when the built-in fetch works just fine. Is it because people are still sending XML requests?

 reply
10
edited

It provides a lot of nice syntactic sugar that you would otherwise have to write a wrapper for on top of Fetch. Built in request interception, request transformation, (de)serialization, shared request config, timeout/retries management, …

Though this definitely comes with bloat and supply chain risks.

 reply
10

Because most projects are legacy projects.

 reply
3

I was reading through the thread, and it looks like the package mangers have implemented an option that says “only install package versions that are X minutes/days old”. The idea is NPM has had time to act before your package manager installs that new version.

 reply
5

Really sophisticated attack

 reply
2

Comments in Selfhosted@lemmy.world

edited

You can mitigate similar attacks by editing your .npmrc

min-release-age=7 # days
ignore-scripts=true
 reply
37

It’s a good way to keep the exploit around for seven days, too, if you apply it right away.

 reply
37

I agree, I think it would be better to use something like dependabot or renovatebot so you can know of and apply security updates right away.

 reply
8

As long as the bot is not allowed to automatically merge minor version bumps in libraries…

 reply
11

Well yes, one can misuse any tool.

 reply
3

How? If you got hit by this you are looking at restoring the system from a safe previous version.

And the compromised versions get pulled, not superseeded by a new release, so once you rebuild you would go back to a safe version…

 reply
2

I always advocate switching to pnpm where install scripts are disabled by default. It has plenty of security features to ward off most supply chain attacks.

 reply
23

Does disabling install scripts actually do anything though? The attack would still work if put in the code itself, no? The only difference I can see is that it would run when the project is run instead of when the package is installed.

 reply
5

Minimum age would have prevented it in this case.

 reply
5

Just ask Australian how well minimum age verification works!

 reply
1

On closer inspection, preventing post-install would have fixed it too: “The attack exploited a transitive dependency, plain-crypto-js@4.2.1, which executed a postinstall script to deploy the RAT.”

 reply
4

Doesn’t seem to have been live for very long.

 reply
7
Insert image