News & Commentary

Axios compromise sends shockwaves through the JavaScript ecosystem ⚠️

One of the biggest headlines I’ve been following since the last Shenanigans is the axios npm supply chain compromise, and this one deserves the extra attention.

Attackers got access to a maintainer account and published malicious versions of one of the most widely used JavaScript libraries in the world: [email protected] and [email protected]. Those releases quietly pulled in a fake dependency, [email protected], whose only real job was to execute malware during installation.

And because axios is used everywhere (from developer laptops to production apps to CI/CD pipelines), this was the kind of incident that spread fast and hit hard.

What makes this especially nasty is that it didn’t require someone to click a phishing link or open a sketchy attachment. In many cases, just running npm install during the exposure window was enough. Huntress saw infections begin within roughly 89 seconds of one of the malicious axios versions being published, which tells you how quickly automated systems can pull in a poisoned package.

This was not just a scare or a near miss. Huntress observed at least 135 endpoints across Windows, macOS, and Linux reaching out to attacker infrastructure.

The technical chain here is ugly but important to understand:

1. An attacker compromised an npm maintainer account tied to axios.

2. They published malicious versions of axios, which included a fake dependency, [email protected].

3. That package ran a postinstall script: setup.js.

4. setup.js downloaded and launched a different malware payload depending on the victim’s operating system.

More technical details for my nerdier friends:

• The setup.js file was obfuscated.

• On Windows, the malware copied powershell.exe to %PROGRAMDATA%\wt.exe so it looked more like Windows Terminal instead of PowerShell (evasion technique).

• On Windows, it also created a Run key in the registry to achieve persistence.

• On macOS, it dropped a Mach-O binary into /Library/Caches/com.apple.act.mond, using an Apple-looking path to blend in.

• On Linux, it downloaded a Python RAT to /tmp/ld.py. This one didn’t persist after reboot, which suggests the attackers may have cared more about quickly stealing secrets from build servers and containers than staying on the machine long term.

Once the malware was running, it began doing reconnaissance, or gathering information about the system. The malware could enumerate files and directories, collect host and user details, list running processes, beacon back to command-and-control infrastructure every 60 seconds, run additional scripts, and inject or execute more payloads in memory.

That command-and-control piece matters a lot. A command-and-control server (C2) is an attacker’s server that infected machines check in with for instructions. A system talking to a C2 is not just “might be suspicious” territory. It’s a sign that the attacker has an active foothold.

In this case, any affected system should be treated like a real compromise, especially if it had access to such things as npm tokens, SSH keys, cloud credentials, and so forth.

When a library this common gets compromised, the downstream impact can be immediate, quiet, widespread, and…scary.

AI spam is gaming Google Discover to push scams 📲

Have you heard of Pushpaganda? 👀

Attackers are abusing both AI-generated content and search engine optimization (SEO) poisoning to game trusted platforms. The gist here is that scammers are getting fake news stories into Google Discover, luring Android and Chrome users onto deceptive sites, and then tricking them into enabling browser notifications that turn into scareware, fake legal threats, and financial scam bait.

To go into more detail: Bad actors blasted this malicious content across at least 113 domains to get fake “news” pages surfaced inside Google Discover, then converted that traffic by prompting users to enable browser push notifications. Once notifications were allowed, the attackers delivered repeated scareware-style alerts that redirected victims through additional actor-controlled sites, inflating ad traffic and driving users toward fraud. HUMAN said the infrastructure tied to the campaign peaked at roughly 240 million bid requests over a seven-day stretch, which gives you a sense of the scale and how this was built as a full monetization pipeline, not just your typical scam lure.

We see it again and again: Attackers hijacking a trusted something and turning it into a delivery vehicle for fraud. And in this instance, it’s a vicious cycle: A user clicks to allow notifications, attackers yank them back into scam pages (thus driving fake organic traffic), and then the attackers monetize the whole thing through ads and other shady funnels. It’s like marketing…but for terrible people. 😅

It’s another good reminder that AI is making it so much easier for bad actors to grow and scale their operations, too. Never thought I’d miss the days of typo-ridden phishing emails, but…can we go back to that, please?

Sponsor

Register for a brand new research-focused webinar series from Push Security

I’m excited to be joining the latest webinar series from Push Security deep-diving into the State of Browser Attacks, where I’ll be joining Push researchers along with some incredible guests like Troy Hunt and Matt Johansen. 

The browser is increasingly the place where modern breaches start, with a huge amount of attacker innovation — just this year we’ve seen a ton more ClickFix variants, malvertised phishing campaigns intercepting users on search engines, and device code phishing attacks being powered by brand new PhaaS kits.

The first webinar in the series is happening on Thursday, April 16 (that’s tomorrow!) at 11am ET.

Get ahead of this threat evolution and register your spot now!

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-023.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training News 🤓

April Course Release:
AI Cyber Defense Ops

Instead of a basic Intro to AI, AI-Assisted Pentesting, or yet another Securing your LLMs course, Anton Ovrutsky will teach you how to make your defensive lives easier and operations more efficient in "AI Cyber Defense Ops."

This brand-new practical course provides job-ready skills using Claude to make you an indispensable blue team employee! It’s a great companion to the ConDef Ecosystem with its pre-setup telemetry to practice in a cyber range that mimics an enterprise environment.

Then unleash your full potential!

🤑 Just $40 in April! 🤑

Invest in YOU!

Start or advance your technical cybersecurity career with our practical, hands-on training from me and 30+ All-Stars. Use Code “TaxDay15” to get 15% off! Excludes Already Discounted Items. Expires Midnight April 30.

Courses In Production - Jr WebApp Pentester, Jr Network Pentest, WMD 6, Coding for Cybersecurity, Amass, Hacking Home Lab, MADS Vol 4 and much more!

Forget the Noise. Get to JustHacking.com!

AI & Cybersecurity Job Market Got You Stressed?

Professional Pentester AND yoga instructor, Aqeel Yaseen, shares the little-known concept of Pratipaksha Bhavana, an ancient method to mentally hit the reset button. Learn how recognizing and reorienting our attitudes can take us further, faster!

New Free Upskill Challenges

Save Big with Bundles!

• The “Mishaal” Bundle: Get EVERYTHING Mishaal Khan has on JHT for only $345 (25% Off)! At a fraction of what he charges for a single in-person course, you get 4 courses (3 OSINT, 1 OpSec) & 2 geoINT Hack-Alongs.
• Mastering Active Directory Security (MADS) Volumes 1 – 3: (20% Off)
• WMD Intro Path includes courses 1 – 3: (46% Off)
• 7 CTF Bundle: 50% Off
• 7 Hack-Along Bundle: 75% Off

Discord | FB | IG | LinkedIn | RSS | Twitch | TikTok | X | YouTube

Are you loving this thing? Can it be improved? Either way, I want to know.

Please reply to this email and let me know what you’re loving — and what you’d love to see in the next edition.

Thank you!