Active Supply Chain Attack on axios 1.14.1

lemax · 7 days ago · view on HN · news
quality 9/10 · excellent
0 net
Tags
apple microsoft supply-chain
[email protected], published 2026-03-31, introduces a new dependency [email protected] that was not present in [email protected]. This package is malicious — it contains an obfuscated postinstall script (setup.js) that downloads and executes a remote payload.

Evidence

[email protected] dependencies: follow-redirects, form-data, proxy-from-env (3 deps)

[email protected] dependencies: same 3 + plain-crypto-js (new, not in any prior axios version)

plain-crypto-js has "postinstall": "node setup.js" in its scripts

setup.js is heavily obfuscated — it decodes base64 strings, writes scripts to the OS temp directory, executes them via shell (macOS) or PowerShell (Windows), then deletes itself

← Back to stories