The axios npm package was compromised in a supply chain attack via malicious versions 1.14.1 and 0.30.4, which contained a malware dropper package named plain-crypto-js@4.2.1. Users must immediately roll back to version 1.14.0 and rotate all credentials present in their environment during the exposure period. The npm registry has removed the compromised packages.
Axios is one of the most used npm packages which just got hit by a supply chain attack. Malicious versions of Axios (1.14.1 and 0.30.4) hit the npm registry yesterday. They carry a malware dropper called plain-crypto-js@4.2.1 . If you ran npm install in the last 24 hours, check your lockfile. Roll back to 1.14.0 and rotate every credential that was in your environment. Currently, as of now, npmjs has removed the compromised versions of axios package along with the malicious plain crypto js package. Live updates + info linked. submitted by /u/raptorhunter22 [link] [comments]