Hacker hijacks Axios open-source project, used by millions, to push malware

A malicious version of a widely used JavaScript library called Axios has been pushed to millions of developers, putting them at risk of being compromised. Axios is a crucial tool that allows software to connect to the internet, and it is downloaded tens of millions of times every week. The affected library was hosted on npm, a software repository that stores code for open-source projects. A hacker managed to hijack and modify the library to deliver malware, which could grant the hackers access to vast numbers of affected devices.

The hijack was spotted and stopped in around three hours, according to security firm StepSecurity. The hackers are increasingly targeting developers of popular open-source projects in an effort to mass-hack anyone who relies on the compromised code. These kinds of widespread breaches are called supply chain attacks because they target software that allows hackers to then hack whoever downloaded the compromised software.

The hacker was able to slip malicious code inside Axios by compromising the account of one of the project's primary developers. The hacker replaced the legitimate developer's email address on the account with their own, making it more difficult for the developer to regain access. Security company Aikido warned that anyone who downloaded the code "should assume their system is compromised."

The incident highlights the growing threat of supply chain attacks, where hackers target software that allows them to access large numbers of users. In recent years, hackers have targeted companies like 3CX, Kaseya, and SolarWinds, as well as open-source tools such as Log4j and Polyfill.io.