A recent supply chain attack has targeted the widely-used HTTP client Axios, with two newly published versions of the npm package containing a malicious dependency.
The compromised versions, 1.14.1 and 0.30.4, have been found to inject a fake dependency called ‘plain-crypto-js’ version 4.2.1, which poses a significant threat to users.
According to reports from StepSecurity, the malicious versions were published using the compromised npm credentials of the primary Axios maintainer, highlighting the severity of the attack.
This incident serves as a reminder of the importance of monitoring dependencies and maintaining secure credentials to prevent such supply chain attacks.
Users are advised to exercise caution and verify the authenticity of npm packages to avoid potential risks associated with malicious dependencies.
As the threat landscape continues to evolve, it is essential to stay informed about the latest vulnerabilities and take proactive measures to protect against potential attacks.
Source: Original Article
