A Supply Chain attack has targeted the :contentReference[oaicite:0]{index=0} library on npm, with malicious versions published that directly affect developers.
Affected Versions
axios@1.14.1andaxios@0.30.4
What Happened?
An attacker compromised a maintainer account and published versions including a malicious dependency:
plain-crypto-js@4.2.1.
This dependency is not used by Axios itself, but executes via a postinstall script,
allowing malicious code to run automatically after installation on local machines or CI/CD.
What Does the Malicious Code Do?
- Installs and runs a Remote Access Trojan (RAT).
- Executes system commands via
execSync. - Accesses files (
fs) and system info (os). - Drops malicious files (e.g., in
ProgramDataon Windows). - Hides traces by renaming or deleting files.
Running these versions may grant full access to your system or environment.
Potential Impact
- Leakage of API keys and tokens.
- Compromised CI/CD pipelines and servers.
- Unauthorized system control.
- Exposure of sensitive project data.
What Should You Do Now?
-
Use a safe version:
axios@1.14.0oraxios@0.30.3 - Reinstall dependencies:
-
Ensure the malicious package is not present:
plain-crypto-js - Rotate all credentials: API keys, access tokens, SSH keys
-
Treat any environment that ran
npm installrecently as potentially compromised
rm -rf node_modules package-lock.json
npm install
Unexpected postinstall scripts in unused dependencies are a strong red flag.
Important Note
npm install axios@latest
Avoid using latest for now. Use a pinned version such as:
axios@1.14.0
Conclusion
This incident highlights the risks of supply chain attacks and reinforces the importance of version pinning, dependency auditing, and avoiding blind trust in widely used packages.
