The npm account of axios lead maintainer jasonsaayman was hijacked, resulting in two malicious versions (1.14.1 and 0.30.4) being published on March 31. Both versions inject a hidden dependency (plain-crypto-js@4.2.1) that deploys a cross-platform remote access trojan (RAT) targeting macOS, Windows, and Linux. The malware self-destructs after execution, making post-infection node_modules inspection ineffective. With ~100 million weekly downloads, this ranks among the most impactful npm supply chain attacks ever. Affected users should pin to safe versions (1.14.0 or 0.30.3), remove plain-crypto-js, rotate all credentials, and audit CI/CD logs. Indicators of compromise, file system artifacts, and network IOCs are provided for detection.
Sort: