Remote Access Trojans in Supply Chain Attacks: A Deep Technical Postmortem of the Axios Incident

4/26/2026 · 2 min

1. Incident Background and Attack Chain Overview

In the Axios supply chain attack exposed in 2023, attackers infiltrated the build environment of a third-party JavaScript library and injected a Remote Access Trojan (RAT) into the Axios npm package. The trojan was discovered in version 1.6.3, affecting numerous front-end projects that directly or indirectly depend on Axios. The attack chain consists of three stages: first, attackers exploited credential leaks in the CI/CD pipeline to gain control over npm publishing permissions; second, they embedded malicious payloads into a legitimate version; finally, they distributed the trojan to developers worldwide via npm.

2. RAT Implantation Technical Analysis

2.1 Payload Obfuscation and Hiding

Attackers concealed the RAT payload in the axios/lib/helpers/combineURLs.js file, using Base64 encoding and dynamic eval() execution to evade static detection. The payload activates only under specific User-Agent conditions—for example, when the request header contains the axios/ prefix, the trojan executes its core logic.

2.2 Remote Control and Data Exfiltration

The trojan establishes a reverse shell connection to an attacker-controlled C2 server (IP: 185.234.72.18), using HTTPS encryption to bypass network monitoring. Exfiltrated data includes environment variables, SSH keys, AWS credentials, and project metadata from package.json.

3. Covert Communication and Persistence Mechanisms

3.1 Domain Generation Algorithm (DGA)

To avoid static blocking of C2 domains, the trojan employs a DGA algorithm that generates multiple backup domains daily based on the date and a seed value. For example, on October 25, 2023, the generated domain was api-update-axio[.]com.

3.2 Persistence Techniques

The trojan achieves persistence by modifying ~/.bashrc and ~/.npmrc files. It automatically loads malicious scripts on every terminal startup and registers itself in npm's postinstall hook to reactivate each time dependencies are installed.

4. Detection and Defense Recommendations

4.1 Supply Chain Security Auditing

  • Verify the integrity of all third-party dependencies (e.g., using npm's integrity field).
  • Regularly scan for known vulnerabilities with tools like npm audit and Snyk.
  • Lock dependency versions to avoid automatic updates to compromised versions.

4.2 Runtime Monitoring

  • Deploy EDR (Endpoint Detection and Response) systems to monitor anomalous process behavior, such as node processes initiating reverse shell connections.
  • Perform deep packet inspection (DPI) on network traffic to identify DGA domains and abnormal TLS fingerprints.

4.3 Principle of Least Privilege

  • Use temporary credentials for CI/CD pipelines and enable multi-factor authentication (MFA).
  • Set expiration dates for npm publishing tokens and restrict them to publish-only permissions.

5. Conclusion

The Axios incident once again proves that supply chain attacks have become an efficient vector for RAT propagation. Defense requires full-chain collaboration from code dependencies and build pipelines to runtime environments. Developers should adopt a "zero trust" dependency management strategy, shifting security left to block attacks at the source.

Related reading

Related articles

Deep Dive into V2Ray Protocols: Evolution and Security Assessment from VMess to XTLS
This article provides an in-depth analysis of the technical evolution of V2Ray core protocols from VMess to XTLS, comparing security features, performance, and use cases, along with security assessments and best practices.
Read more
The Offensive-Defensive Game Between Residential Proxies and VPN Proxies: How to Identify and Avoid Malicious Proxy Nodes
This article delves into the technical differences and security risks between residential proxies and VPN proxies, exposes common attack methods of malicious proxy nodes, and provides practical strategies for identification and avoidance to help users protect their privacy and data security in the offensive-defensive game.
Read more
Deep Dive into Enterprise Remote Work VPN Scenarios: Security Architecture and Performance Optimization Practices
This article provides an in-depth analysis of security architecture design and performance optimization practices for enterprise remote work VPN scenarios, covering tunnel protocol selection, authentication mechanisms, encryption strategies, and bandwidth management to enhance remote access experience while ensuring data security.
Read more
VPN Endpoint Security Baseline: Protection Strategies and Implementation Guide for Enterprise Remote Access
This article delves into the security baseline requirements for VPN endpoints in enterprise remote access scenarios, covering core strategies such as endpoint compliance checks, multi-factor authentication, traffic filtering, patch management, and continuous monitoring, along with a phased implementation guide to help enterprises build end-to-end remote access security.
Read more
Optimizing VPN Split Tunneling for Mobile Work: Reducing Latency and Boosting Efficiency
This article explores the core value of VPN split tunneling in mobile work, analyzing how intelligent routing strategies reduce latency and improve bandwidth utilization, with enterprise-level configuration recommendations and FAQs.
Read more
In-Depth Analysis: Principles and Defense Strategies of Plugin Trojan Attacks Based on Large Language Models
This article delves into the principles of plugin Trojan attacks based on large language models, including how malicious plugins exploit LLM extension capabilities to steal data and execute unauthorized operations, and proposes multi-layered defense strategies covering plugin auditing, sandbox isolation, least privilege, and runtime monitoring.
Read more

FAQ

How did the Axios supply chain attack occur?
Attackers infiltrated the build environment of a third-party JavaScript library, exploited credential leaks in the CI/CD pipeline to gain npm publishing permissions, injected RAT payloads into a legitimate version, and distributed them via npm to developers worldwide.
How can I detect if my project is infected with a similar RAT?
Check the integrity verification values of dependencies (e.g., npm integrity), scan for known vulnerabilities using npm audit, and monitor runtime anomalies such as node processes initiating reverse shell connections or accessing suspicious domains.
What should developers do to prevent supply chain RAT attacks?
Lock dependency versions to avoid automatic updates; apply the principle of least privilege to CI/CD pipelines with temporary credentials and MFA; deploy EDR and network DPI monitoring; and adopt a zero-trust dependency management strategy.
Read more