You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TL;DR
Early this morning Axios was compromised by a sophisticated and severe supply chain attack.
Dashy is unaffected. But there were some useful lessons to be learnt.
Thank you @fish-not-phish for your contributions in this
Impact Assessment
Docker Version
Summary: Dashy is safe.
Dashy relies upon axios@^1.12.0 which will resolve to axios@1.13.6, which isn't in the vulnerable range (axios@1.14.1 and axios@0.30.4)
The Dockerfile installs dependencies with yarn install --immutable, so it will refuse to resolve Axios to any version other than 1.13.6.
In terms of the attack timing, the newest versions of Dashy (latest, 3.2.0, 3.x and 3.2) was published Mar 30, 07:57 UTC, which was 16 hours before the vulnerability window.
Axios is never used as a transitive dependency, so the version in the package.json/yarn.lock is the only version
I've followed the steps form Stepsecurity.io's write up to grep through the node_modules for the bad plain-crypto-js package, and confirmed that it is not present in any versions of Dashy published. I've also reviewed all logs from my own staging environments to verify no C2 domain mentioned.
Custom / Modified Versions
However, if you are running a modified fork of Dashy, then you will need to check this yourself:
# 1. Bad version in lockfile?
grep -E '"axios": ".*(1\.14\.1|0\.30\.4)' yarn.lock
# 2. Is the malicious dependency present?
ls node_modules/plain-crypto-js 2>/dev/null &&echo"⚠️ POSSIBLE COMPROMISE"# 3. Do you see any RAT artifacts?
ls -la /tmp/ld.py 2>/dev/null &&echo"⚠️ COMPROMISED"
If any of the following return true, then rebuild and rotate all secrets immediatly.
Background
Some of you might already be aware, but Axios is a popular NPM package providing a promise-based HTTP client for the browser and node.js.
Dashy (and 20M other projects!) heavily relied upon Axios before browser and Node fetch support was well supported.
Early this morning, the maintainer of Axios was compromised (likely by the previous NPM attack and wave of token / maintainer account compromise), and two bad versions of Axios (1.14.1 and 0.30.4) were published, and stayed live for 3 hours 00:21 to 03:29 UTC on Tue 31st March).
The attacker didn't modify Axios itself, but rather they added a new dependency (plain-crypto-js@4.2.1) to the package.json. That package looked like the legit crypto-js package, but had a malicious postinstall script which executed during npm install, downloading and running a cross-platform RAT.
When installed, this script executed immediately during npm install, acting as a dropper:
Even though Dashy was not impacted, I've decided that removing the use of Axios is the best route forwards. I've refactored it out of the codebase in Update/remove axios #2027, which will be released shortly in v 3.2.1
I have enabled private vulnerability reporting for Dashy (so anyone can submit an advisory). And, as with before any security concerns can be reported to security@as93.net
Action Required
No action is needed from you
Tip
If you run a lot of self-hosted services, consider blocking all traffic to the known C2 server: echo "0.0.0.0 sfrclak.com" >> /etc/hosts
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
TL;DR
Early this morning Axios was compromised by a sophisticated and severe supply chain attack.
Dashy is unaffected. But there were some useful lessons to be learnt.
Thank you @fish-not-phish for your contributions in this
Impact Assessment
Docker Version
Summary: Dashy is safe.
axios@^1.12.0which will resolve toaxios@1.13.6, which isn't in the vulnerable range (axios@1.14.1andaxios@0.30.4)yarn install --immutable, so it will refuse to resolve Axios to any version other than 1.13.6.I've followed the steps form Stepsecurity.io's write up to grep through the node_modules for the bad plain-crypto-js package, and confirmed that it is not present in any versions of Dashy published. I've also reviewed all logs from my own staging environments to verify no C2 domain mentioned.
Custom / Modified Versions
However, if you are running a modified fork of Dashy, then you will need to check this yourself:
If any of the following return true, then rebuild and rotate all secrets immediatly.
Background
Some of you might already be aware, but Axios is a popular NPM package providing a promise-based HTTP client for the browser and node.js.
Dashy (and 20M other projects!) heavily relied upon Axios before browser and Node fetch support was well supported.
Early this morning, the maintainer of Axios was compromised (likely by the previous NPM attack and wave of token / maintainer account compromise), and two bad versions of Axios (
1.14.1and0.30.4) were published, and stayed live for 3 hours 00:21 to 03:29 UTC on Tue 31st March).The attacker didn't modify Axios itself, but rather they added a new dependency (
plain-crypto-js@4.2.1) to the package.json. That package looked like the legit crypto-js package, but had a malicious postinstall script which executed during npm install, downloading and running a cross-platform RAT.When installed, this script executed immediately during npm install, acting as a dropper:
After execution, the malware:
The hack has so far been attributed to North Korea.
For more info about this this incident, take a look at these sources:
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Action Taken
security@as93.netAction Required
No action is needed from you
Tip
If you run a lot of self-hosted services, consider blocking all traffic to the known C2 server:
echo "0.0.0.0 sfrclak.com" >> /etc/hostsStay safe 🩵
Beta Was this translation helpful? Give feedback.
All reactions