"The npm ecosystem absorbed one of its most significant supply chain attacks on March 31, 2026, when two versions of Axios were found to contain a fully functional Remote Access Trojan."
"The attack was first surfaced by Socket, whose automated malware scanner flagged the malicious transitive dependency plain-crypto-js@4.2.1 within six minutes of it appearing on the registry."
"Neither version appears in the official Axios GitHub release tags, a break from the project's normal publish workflow that security researchers on GitHub flagged immediately."
"Feross Aboukhadijeh, founder of Socket, posted on X: 'Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware.'"
On March 31, 2026, two versions of Axios were compromised, containing a Remote Access Trojan. The malicious packages were published through a hijacked maintainer account and reached many developer environments before removal. Socket's malware scanner detected the threat within six minutes. The attack involved a clean typosquat of the legitimate crypto-js library, which was poisoned to coincide with the Axios release. The compromised versions did not appear in official GitHub tags, raising security concerns. Investigations suggest a long-lived npm token may have facilitated the attack.
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]