Security Alert: Axios Package Compromise
A critical supply chain attack targeting the widely used axios npm package has been discovered, raising fresh concerns around open-source dependency security. 🔍 What Happened? Malicious versions of axios were published to the npm registry, specifically: • axios@1.14.1 • axios@0.30.4 These versions introduced a suspicious dependency: plain-crypto-js@4.2.1, which is believed to be part of the attack chain. The npm registry has since taken corrective action: • Removed the compromised versions • Restored the latest tag to axios@1.14.0 (safe version) 🛡️ Platform Response Vercel conducted an internal investigation and confirmed: • No impact on their infrastructure • Preventive measures implemented, including blocking communication with a known command-and-control domain ⚠️ Who Is Affected? Any project that used the compromised versions during build or deployment may be at risk. Developers should immediately check for: • axios@1.14.1 • axios@0.30.4 • plain-crypto-js@4.2.1 🧰 Recommended Actions If your application may have been exposed, take these steps immediately: 1. Audit Dependencies Scan your package.json, lockfiles, and node_modules for suspicious packages. 2. Rebuild & Redeploy Ensure your application is built using a clean and verified dependency tree. 3. Rotate Credentials Update all sensitive credentials, including: • API keys • Database passwords • Tokens and environment secrets 4. Upgrade Axios Move to the secure version: ✅ axios@1.14.0 5. Review Supply Chain Check for indirect dependencies that may still reference compromised versions.