Axios NPM package compromised by supply chain attack.
After a supply chain attack poisoned the popular JavaScript HTTP client library, two malicious Axios npm releases warned developers to rotate credentials and treat affected systems as problematic.
The compromise was first reported by cyber security company Socket, which updated axios@1.14.1 and axios@0.30.4 to plain-crypto-js@4.2.1, released before being removed from npm as a malicious dependency that was automatically activated when installed.
According to security firm Ox Security, the altered code could give attackers remote access to infected devices, allowing them to steal sensitive information such as login credentials, API keys, and crypto wallet information.
The incident shows how a single compromised open source component can drive thousands of trusted applications, exposing not only developers, but also platforms and users connected to the system.
Security companies insist on key rotation, system audits
OX Security has warned developers who have installed axios@1.14.1 or axios@0.30.4 to view their systems as fully compromised and immediately recover certificates, including API keys and session tokens.
Socket said the affected Axios releases were modified to include a dependency on plain-crypto-js@4.2.1, a package published shortly before the incident and later identified as malicious.
RELATED: Trust Wallet browser extension hits ‘bug' offline in Chrome store, CEO says
The company said the vulnerability was configured to run automatically through a post-installation script, which it said would allow attackers to execute code on target systems without additional user interaction.
Socket recommends that developers review their projects and dependency files for the affected versions of Axios and the associated plain-crypto-js@4.2.1 package and immediately remove or revert the affected versions.
Previous crypto incidents have highlighted supply chain risks
Previous crypto incidents have shown how supply chain breaches can escalate from stolen developer data to user-wallet losses.
On January 3, onchain researcher ZackXBT reported that “hundreds” of wallets were exposed to Ethereum virtual machine-compatible networks in a large-scale attack with a small amount from each victim.
Cybersecurity researcher Vladimir S said the incident may be related to a breach in December, which cost more than 2,500 wallets nearly $7 million.
TrustWallet later revealed that the breach originated from a supply chain agreement involving npm packages used in the development workflow.
Magazine: No one knows if quantum secure encryption even works
