Gate News message, April 2, JavaScript’s most popular HTTP client library Axios was hit by a supply chain attack. The attacker stole the npm access token of Axios’s lead maintainer and used it to publish two malicious versions containing cross-platform remote access trojans (RATs) (axios@1.14.1 and axios@0.30.4), targeting coverage of macOS, Windows, and Linux systems. After the malicious packages were available on the npm registry for about 3 hours, they were removed. According to security firm Wiz data, Axios has more than 100 million weekly downloads and is present in about 80% of cloud and code environments. Security firm Huntress detected the first batch of infections just 89 seconds after the malicious packages were published and confirmed that at least 135 systems were compromised during the exposure window. Notably, the Axios project had previously deployed modern security measures such as an OIDC trusted publishing mechanism and SLSA provenance proofs, but the attacker completely bypassed these defenses. The investigation found that while the project was configuring OIDC, it still retained the traditional long-lived NPM_TOKEN, and npm, when both coexisted, defaulted to prioritizing the traditional token—meaning the attacker didn’t need to break OIDC in order to complete the publish.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
