The npm maintainer account for the widely-used axios HTTP client was compromised, resulting in two malicious versions (1.14.1 and 0.30.4) being published and tagged as 'latest' and 'legacy'. The attacker introduced a typosquat dependency 'plain-crypto-js' containing an obfuscated postinstall script that downloads and executes
Sort: