Axios npm Package Compromised in Supply Chain Attack
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Compromise of a widely-used HTTP client library with RAT.
The Axios npm package (100M+ weekly downloads) was compromised in versions 1.14.1 and 0.30.4 via a hijacked maintainer account, injecting malware through the typosquatted plain-crypto-js@4.2.1 dependency. Socket's scanner detected the attack within six minutes, impacting projects with unpinned caret ranges like ^1.14.0. Mitigation requires immediate rollback, dependency pinning, and settings like ignore-scripts=true, with alternatives such as native fetch offering smaller attack surfaces.
- Pin all dependencies and configure npm to ignore install scripts to prevent similar supply chain compromises.
As a senior engineer focused on developer tooling and infrastructure, supply chain attacks directly threaten the security of your build pipelines and runtime environments, impacting system reliability and compliance.