Axios 1.14.1 Hit by Supply Chain Attack via Malicious npm Dependency
According to Slow Fog, malicious axios releases 1.14.1 and 0.30.4 pulled in plain-crypto-js malware, exposing developers to cross-platform RATs and credential theft through the npm supply chain.
Blockchain security firm Slow Fog issued an urgent warning that malicious axios releases 1.14.1 and 0.30.4 pulled in plain-crypto-js malware through npm. The update says the compromised packages exposed crypto developers to cross-platform remote access trojans and stolen credentials, sharpening the incident from a general supply chain compromise to a malware campaign with specific downstream risks. Existing guidance remains focused on systems that installed the affected packages during the attack window, including reviewing indicators of compromise and rotating credentials where exposure is suspected.
- Supply chain attack: A cyberattack that compromises a trusted software component or dependency so malicious code spreads to downstream users.
- npm: A JavaScript package manager and registry used to distribute libraries and dependencies, making it a common software supply chain target.
- RATs: Remote access trojans are malware programs that give attackers unauthorized control over infected systems.