SlowMist|3月 31, 2026 04:39
🚨 Another major supply chain incident 🚨
axios — one of the most widely used npm packages — has been compromised. Malicious versions axios@1.14.1 and axios@0.30.4 were published and are actively dropping malware.
The attack pulls in a newly created dependency plain-crypto-js@4.2.1, confirmed as a malicious loader: it executes obfuscated payloads, runs shell commands, and attempts to evade detection while wiping traces.
With 100M+ weekly downloads, this is a live, large-scale supply chain attack.
More details: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan(SlowMist)
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink