Summary
axios versions 1.14.1 and 0.30.4 were compromised in a supply chain attack on March 30, 2026. The attacker hijacked a maintainer's npm account and added a malicious dependency (plain-crypto-js) that acts as a cross-platform RAT dropper.
This repo's package.json declares "axios": "^1.8.2" — the caret range could resolve to 1.14.1 on a fresh npm install if lockfiles aren't committed or are regenerated. The current lockfile resolves to 1.13.4 (safe), but this should be pinned to prevent accidental upgrade.
Recommended action
Pin axios to a known-safe version in package.json:
Or add a resolutions/overrides field to block the compromised version.
References
The malicious versions have been removed from npm, but lockfile audits are recommended.
Summary
axios versions 1.14.1 and 0.30.4 were compromised in a supply chain attack on March 30, 2026. The attacker hijacked a maintainer's npm account and added a malicious dependency (
plain-crypto-js) that acts as a cross-platform RAT dropper.This repo's
package.jsondeclares"axios": "^1.8.2"— the caret range could resolve to 1.14.1 on a freshnpm installif lockfiles aren't committed or are regenerated. The current lockfile resolves to 1.13.4 (safe), but this should be pinned to prevent accidental upgrade.Recommended action
Pin axios to a known-safe version in
package.json:Or add a
resolutions/overridesfield to block the compromised version.References
The malicious versions have been removed from npm, but lockfile audits are recommended.