The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency that delivers a trojan capable of targeting Windows, macOS, and Linux systems.
Versions 1.14.1 and 0.30.4 of Axios have been found to inject "plain-crypto-js" version 4.2.1 as a fake dependency.
According to StepSecurity, the two versions were published using the compromised npm credentials of the primary Axios maintainer ("jasonsaayman"), allowing the attackers to bypass the project's GitHub Actions CI/CD pipeline.
Users who have Axios versions 1.14.1 or 0.30.4 installed are required to rotate their secrets and credentials with immediate effect, and downgrade to a safe version (1.14.0 or 0.30.3). The malicious versions, as well as "plain-crypto-js," are no longer available for download from npm.