How Heeler Mitigated the Axios Supply Chain Attack

Heeler provided customers a multi-layered defense, combining Software Composition Analysis (SCA) with Static Analysis Security Testing (SAST), along with Agent Skills, CLI and guardrails to provide the visibility and enforcement necessary to neutralize this threat.

Dual-Layer Detection: Beyond the Version Number

While traditional tools rely solely on known-vulnerability databases, Heeler’s approach identifies the malicious techniques themselves. This was critical for the Axios attack, where the malicious plain-crypto-js dependency was used as a delivery vehicle.

• SCA Precision: Heeler flagged axios@1.14.1, axios@0.30.4, and the malicious plain-crypto-js@4.2.1 across all lockfiles, including transitive exposures.
• SAST Logic: the malicious patterns themselves: C2 domain, dropper obfuscation functions (_trans_1, OrDeR_7077), RAT artifacts, and the package.json evidence swap. This enabled our customers to catch variants reusing the same techniques even before SCA databases could update.

Multiple Layers of Protection and Response

Heeler provided multiple layers of protection and response:

• Global View of Exposure: In the Catalog → Global Dependencies view, customers were could use the Compromised filter to gain instant, environment-wide map of every affected repository.
• Agentic & CLI Guidance: The heeler-malicious-package-scan skill provided guidance and guardrails for coding agents and locally for developers via CLI use to block additions of the compromised dependencies.
• PR Guardrails: Heeler’s automated enforcement blocked any Pull Request attempting to introduce the compromised versions.
• Automated Workflows: The "New Compromised Dependency" trigger automatically routed detections to Slack and generated Jira tickets for engineering teams the moment the compromised versions were detected (new or existing).