One of npm's most depended-on packages
The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.`
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
• Deobfuscates embedded payloads and operational strings at runtime
• Dynamically loads fs, os, and execSync to evade static analysis
• Executes decoded shell commands
• Stages and copies payload files into OS temp and Windows ProgramData directories
• Deletes and renames artifacts post-execution to destroy forensic evidence`
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
Thanks for sharing!
I've been doing tons of js supply chain work lately - it already has been a shitshow for a couple of years but now it's getting really bad. Some packages are seeing multiple vulns per week, and at the same time we have multiple concurrent attacks that are easy to be missed.
I'm thinking of
=-pinning instead of^-pinning. May even be the same maintenance spend if you're actually checking diffs.PS: threw you guys a PR a while back too
ouch
found a longer article about it:
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Yikes
https://twiiit.com/feross/status/2038807290422370479
Sooo cryptical
Cryptical
Chain smoking bits