Axios Supply-Chain Attack [v1.14.1] [0.30.4] --> plain-crypto-js [4.2.0][4.2.1]

[Michael Straßberger <m.strassberger () metaways de>]

Hello OSS-Security,

since I haven't seen yet a post about this: There was a Supply Chain
attack targeting the npm package- axios.

Axios is a widely spread and used Javascript library. Some more
discussions are happening in a github Issue [0]

> From HackerNews[1]:

> Users who have Axios versions 1.14.1 or 0.30.4 installed are 
> required to rotate their secrets and credentials with 
> immediate effect, and downgrade to a safe version 
> (1.14.0 or 0.30.3). The malicious versions, as well as 
> "plain-crypto-js," are no longer available for download from
> npm.
> With more than 83 million weekly downloads, Axios is one of the
> most widely used HTTP clients in the JavaScript ecosystem across
> frontend frameworks, backend services, and enterprise applications.
> "This was not opportunistic," Kurmi added. "The malicious dependency
> was staged 18 hours in advance. Three separate payloads were pre-
> built for three operating systems. Both release branches 
> were hit within 39 minutes. Every trace was designed to self-
> destruct."

There exists a great write-up from  @joe-desimone
joe-desimone with a script to check if your machines are compromised
[2]

Some other OSS software that have automatic dependency updates of
semver fix releases may have executed the install payload in their CI
worker. One quick example i've found is Authelia [3]

I would guess there might be more auto-merge Pipeline that have
executed the payload.

Sadly we'll see those attacks now more often :(

Kind Regards
Michael


[0] https://github.com/axios/axios/issues/10604
[1]
https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html#:~:text=Users%20who%20have,is%20as%20follows%20%2D
[2]
https://gist.github.com/joe-desimone/36061dabd2bc2513705e0d083a9673e7
[3] https://github.com/authelia/authelia/pull/11597