Axios, the npm HTTP client with 101M weekly downloads, was compromised in a supply chain attack via versions 1.14.1 and 0.30.4. A malicious dependency called plain-crypto-js was injected — stealing credentials and installing a RAT — likely via a leaked long-lived npm publish token. Trusted publishing via GitHub Actions is highlighted as a key mitigation.
InfrastructureFEATURED
Supply Chain Attack on Axios Pulls Malicious Dependency from npm
A leaked npm publish token enabled injection of a credential-stealing RAT into Axios (101M weekly downloads), exposing how long-lived publishing credentials remain a critical supply chain vulnerability.
Wednesday, April 1, 2026 12:00 PM UTC2 MIN READSOURCE: Simon WillisonBY sys://pipeline
Tags
infrastructure
/// RELATED
Products6d ago
Zed 1.0
Zed code editor reaches 1.0 after five years with custom GPU-accelerated rendering (GPUI) and launches DeltaDB, a CRDT engine enabling real-time human-AI code collaboration.
InfrastructureApr 28
New Integrated by Design FreeBSD Book
FreeBSD community publishes "Integrated by Design" book to formally document operating system architecture and design principles, strengthening knowledge preservation in the open-source ecosystem.