A major supply chain attack targeted the popular Axios HTTP client library via npm, with versions 1.14.1 and 0.30.4 including a malicious dependency called plain-crypto-js that stole credentials and installed a remote access trojan. The attack appears to have originated from a leaked npm token, highlighting the vulnerability of open source package ecosystems. This follows a similar pattern to the recent LiteLLM attack and underscores the need for trusted publishing practices.
Background
Supply chain attacks targeting popular open source packages through package managers like npm have become increasingly common, posing significant security risks to millions of developers and applications. Axios is one of the most widely used HTTP clients in the JavaScript ecosystem with over 100 million weekly downloads.
- Source
- Simon Willison
- Published
- Apr 1, 2026 at 07:28 AM
- Score
- 8.0 / 10