The Axios Breach: What Salesforce Developers Need to Know
Welcome to the 2020ās! This decadeās theme: cyber insecurity. Thatās right, another large-scale breach has just occurred, and you will almost certainly feel this one, given the potential scale. This time, it was Axios, a popular promise-based HTTP client for JavaScript, that was breached. While this one is not specifically a breach targeting Salesforce orgs, there is still some due diligence your business will need to do to help ensure privacy for your data and systems.Ā
Letās jump straight in and determine what the problem is, why itās potentially one of the largest threats to software security in history, and what your business should do today to protect your data.
Axios Breached: TLDR (Important to Know)
Firstly, the important details. Axios has been injected with malicious software, and versions axios@1.14.1 and axios@0.30.4 have been compromised. You need to take IMMEDIATE action if your projects reference these tools, and if youāre using an earlier version, DO NOT UPDATE until this is resolved. Keep an eye on the GitHub Issue for more information.Ā
This attack is known as a āsupply chainā attack as it isnāt targeting any one particular business, industry, or software. It attacks the building blocks of these things instead. This style of attack breaches millions of houses instead of targeting one or two security doors at a time. Itās like adding a vulnerability to the bricks that are used in every building in town, rather than attacking a single company or building.Ā
The blast radius for an attack like this is potentially significant.Ā
High-Level Technical Details
Axios is a simple promise-based HTTP client that is commonly used in node.js projects. This is a potentially super-wide scale breach, as Axios is downloaded roughly 300 million times weekly, according to Step Security.Ā
What has essentially happened is that a bad actor has injected a malicious dependency into the popular package. After installation, a script is run that connects the installed location to a remote server that discreetly communicates information back and forth between your computer and the remote server. This is known as a Remote Access Trojan (RAT).
Cleverly, after damage is done, this process then erases itself and replaces it with a clean decoy, making it far more difficult to detect once deployed. Vibe coders who are not sure what theyāre installing or working with should be particularly concerned with this, as it may be difficult to detect and clean up ā another reason to only be working with tools that you understand fully so you can tidy up when things go wrong.Ā
This is not a Salesforce-specific attack, nor is it necessarily targeting Salesforce customers directly. However, given the popularity of this tool and its widespread use ā not to mention the systems that are integrated into Salesforce that may have been compromised ā it is definitely something that Salesforce customers and professionals should be aware of.
What Developers Should Do Now
If you are a Salesforce Developer and you have a project that interacts with Axios, you need to take immediate action and presume that you have been breached. If you have any tools that connect to Salesforce, youāll need to ensure that these have not been breached. If youāve got any third-party software that talks to Salesforce or business data in any way, youāll need to make sure that you disconnect compromised tools and systems as quickly as possible to minimize the blast radius.
Ā
Consider open source packages, code, or tools that have been developed by internal teams or Salesforce SI Partners and deployed into your org, or AppExchange solutions that you use in your org.Ā
One comment on the GitHub Issue that I linked above summed up the lesson that can be learned from this:
āThe only takeaways as of right now is you donāt install package updates, especially new ones, blindly or automatically, and that supply chain risks existā.
Another lesson that I will repeat here once more: vibe coders are particularly exposed to this kind of attack. If your AI is performing tasks, writing code, or implementing packages that youāre not able to explain, manage, or troubleshoot yourself, you could land yourself in some pretty major problems.Ā
Are You At Risk?
The reality is that, given the type of package that has been breached here, every single individual and person who has their data in any form of modern software has some degree of risk. Whether the risk is directly related to your Salesforce environment or whether you have your own personal data in an impacted system, the blast radius for this one could be quite extensive.
Unfortunately, this seems to be a necessary evil of the digital era that we live in. There are practices that you, as a developer or builder, can take on board that I listed above, but thereās sadly no silver bullet in terms of protecting your own data. The most important thing is to be vigilant, proactive, and if all else fails, make sure you take action quickly to reduce the blast radius and minimize damage.
Summary
As my colleague Sasha recently said, these breaches arenāt going anywhere. When it comes to protecting your own personal data, there is no silver bullet or sure-fire way to be 100% safe. Even when it comes to developing your own software, there is no guarantee that your process will ever truly be safe.Ā
There are, however, best practices to follow to help minimize your exposure, and processes that your business should put in place to rapidly respond to situations like this.
