A recent supply chain attack has targeted the popular HTTP client Axios, resulting in the introduction of a malicious dependency in two newly published versions of the npm package.
The affected versions, 1.14.1 and 0.30.4, have been found to inject a fake dependency called ‘plain-crypto-js’ version 4.2.1, which poses a significant security risk to users.
According to reports from StepSecurity, the compromised npm credentials of the primary Axios maintainer were used to publish the malicious versions, highlighting the importance of secure account management and monitoring.
Supply chain attacks, such as this one, can have far-reaching consequences and emphasize the need for vigilance and proactive security measures to protect against such threats.
Users of Axios are advised to exercise caution and verify the authenticity of the packages they use to avoid potential security breaches.
As the threat landscape continues to evolve, it is essential for developers and organizations to prioritize security and take steps to prevent similar attacks in the future.
Source: Original Article
