387 reports
Elastic Security Labs released triage and behavior-based detections for the Axios supply-chain compromise, where malicious axios versions 1.14.1 and 0.30.4 pulled in [email protected] and executed payloads through npm postinstall activity. The deliver…
Google Threat Intelligence Group reports that malicious axios releases 1.14.1 and 0.30.4 introduced plain-crypto-js as a dependency, triggering a postinstall dropper that deployed WAVESHAPER.V2 backdoors across Windows, macOS, and Linux. GTIG attributes t…
Two malicious Axios npm releases, versions 1.14.1 and 0.30.4, were published after an attacker used a compromised long-lived classic npm token for the lead maintainer account. The poisoned packages added the hidden dependency plain-crypto-js 4.2.1, whose …
Attackers compromised the npm account of Axios maintainer jasonsaayman, likely through a long-lived classic npm token, and published malicious Axios versions 1.14.1 and 0.30.4. The only Axios package change was the addition of [email protected], whose…
Wiz reports that an unknown actor compromised an axios maintainer npm account on March 31, 2026 and published malicious axios versions 1.14.1 and 0.30.4. The poisoned releases introduced plain-crypto-js, whose setup.js dropper downloaded second-stage payl…
Trend Micro reported that attackers hijacked the Axios npm maintainer account and manually published malicious Axios versions 1.14.1 and 0.30.4 using stolen credentials rather than the project’s normal OIDC Trusted Publisher workflow. The poisoned release…
Sophos CTU reported that Axios versions 1.14.1 and 0.30.4 were compromised after an apparent npm maintainer account takeover and used to deploy a cross-platform RAT. The malicious dependency executed during installation, retrieved platform-specific second…
OX Security analyzes a supply-chain compromise of axios versions 0.30.4 and 1.14.1 through the malicious [email protected] dependency. The dependency's postinstall setup.js script contacted sfrclak[.]com on port 8000, fingerprinted the operating syste…
OpenSourceMalware identifies TasksJacker as an active DPRK-linked supply-chain campaign that compromises GitHub repositories by adding malicious .vscode/tasks.json files configured to run when a developer opens the folder in VS Code. The campaign affected…
Invictus assessed the Axios npm compromise as a separate supply-chain incident in which a lead maintainer account was hijacked to publish trojanized versions 1.14.1 and 0.30.4. The malicious releases added plain-crypto-js, deploying a cross-platform RAT a…
Derp's analysis found that Axios 1.14.1 introduced a single new dependency, [email protected], whose postinstall hook ran an obfuscated JavaScript dropper during npm install. The compromise lasted 169 minutes, affected Axios 1.14.1 and 0.30.4, and use…
SafeDep identified malicious axios releases 1.14.1 and 0.30.4 published to npm after an apparent maintainer account compromise, with no matching GitHub tag or provenance for the 1.14.1 package. The attacker made a narrow manifest-only change by adding the…
Malicious axios versions 1.14.1 and 0.30.4 were briefly published to npm after likely compromise of a maintainer account, exposing developers and CI/CD systems that installed them during the live publication window. The attacker did not alter Axios source…
The analysis attributes the March 2026 axios npm supply-chain compromise to BlueNoroff/Lazarus with high confidence, citing NukeSped classification, macWebT naming overlap with RustBucket webT, matching User-Agent behavior, Hostwinds infrastructure, and c…
Huntress observed active exploitation of the axios npm supply-chain compromise, with malicious [email protected] and [email protected] delivering a cross-platform RAT through the [email protected] postinstall hook. The update notes multiple indicators pointing …