A critical supply chain attack is currently targeting Axios, one of the most depended-on packages in the NPM registry, which hosts over two million open-source JavaScript packages. According to security expert Feross Aboukhadijeh, the compromised axios@1.14.1 version pulls in a malicious dependency called plain-crypto-js@4.2.1, which did not exist before the attack. The malware can delete forensic evidence and execute shell commands, posing a severe risk given Axios’s 100 million weekly downloads.
A major supply chain attack is actively compromising Axios, a foundational package within the NPM registry. Security firm Socket Security co-founder Feross Aboukhadijeh stated the attack involves the newly released axios@1.14.1. This version pulls in a previously non-existent package called plain-crypto-js@4.2.1, indicating a live compromise.
The NPM registry hosts more than two million packages of open-source JavaScript code. It is considered a backbone for modern Web3 development, making this breach particularly significant. “This is textbook supply chain installer malware. Axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now,” Feross warned.
The malicious software is capable of performing a wide range of actions. It can delete and rename artifacts to destroy forensic evidence after execution. It also stages payload files in system directories and executes decoded shell commands.
Feross recommended immediate action for developers who use the library. They should pin their Axios versions and conduct audits of their lockfiles. All updates should be halted until the situation is resolved.
