Security companies flagged axios@1.14.1 and 0.30.4 as compromised, urging credential rotation and rollback of affected packages.
Two malicious Axios npm releases have prompted warnings for developers to rotate credentials and treat affected systems as compromised after a supply chain attack poisoned the popular JavaScript HTTP client library.
The compromise was first reported by cybersecurity company Socket, which said axios@1.14.1 and axios@0.30.4 were modified to pull in plain-crypto-js@4.2.1, a malicious dependency that ran automatically during installation before the releases were removed from npm.
According to security company OX Security, the altered code can give attackers remote access to infected devices, allowing them to steal sensitive data such as login credentials, API keys and crypto wallet information.
