Expert Warns of Critical, Ongoing Supply Chain Attack on Axios

According to Feross Aboukhadijeh, co-founder of security-oriented agency Socket Security, there’s an lively provide chain on Axios, which is one of npm’s most depended-on packages.

NPM stands for Node Package Manager and is principally the world’s largest software program registry, internet hosting greater than two million packages of open-source JavaScript code. An argument could be made that it’s the spine of trendy Web3 improvement.

According to Feross, the newest axios@1.14.1 is at present pulling in plain-crypto-just@4.2.1, which is a package deal that didn’t exist earlier than at the moment, suggesting that it’s a reside compromise.

This is textbook provide chain installer malware. Axios has 100M+ weekly downloads. Every npm set up pulling the newest model is doubtlessly compromised proper now. Socket AI analyiss confirms that is malware. Plain-crypto-js is an obfuscated dropper/loadre.”

The malicious software program can carry out a spread of actions, together with deleting and renaming artifacts post-execution to destroy forensic proof, staging and copying payload recordsdata to the OS temp and Windows ProgramData directories, executing decoded shell instructions, and extra.

CRITICAL: Active provide chain assault on axios — one of npm’s most depended-on packages.

The newest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package deal that didn’t exist earlier than at the moment. This is a reside compromise.

This is textbook provide chain installer malware. axios…

— Feross (@feross) March 31, 2026

The professional recommends that builders who use axios instantly pin their variations and audit their lockfiles, whereas refraining from any updates in the meanwhile.

The put up Expert Warns of Critical, Ongoing Supply Chain Attack on Axios appeared first on CryptoPotato.