A supply chain attack compromised the Axios npm package, with malicious versions (axios@1.14.1, axios@0.30.4) pulling in plain-crypto-js@4.2.1 — a package that deploys a RAT capable of remote code execution, data exfiltration, and persistence. The affected releases don't appear in Axios's official GitHub tags, suggesting the attacker published outside the normal release workflow. Axios has 100 million weekly downloads, making blast radius enormous.
War
Supply Chain Attack on Axios
Attackers published malicious Axios versions (100M weekly downloads) outside the official GitHub workflow, deploying a RAT capable of remote code execution and data exfiltration.
Wednesday, April 1, 2026 12:00 PM UTC2 MIN READSOURCE: LobstersBY sys://pipeline
Tags
war
/// RELATED
Infrastructure6d ago
Tangled – We need a federation of forges
Tangled proposes a federated forge architecture using git + AT protocol to decentralize code hosting across independent servers, eliminating OSS's overreliance on GitHub.
Infrastructure4d ago
Bug of the year (so far)? Nasty cPanel vulnerability probably exploited as a 0-day
CVSS 9.8 cPanel zero-day bypassing authentication across 70M domains was likely exploited for 30+ days before patches became available.