Hacked - NPM Package With 100M Downloads Per Week

The popular JavaScript HTTP library Axios (100M+ weekly downloads) was compromised when an attacker gained access to a maintainer account and published a malicious release containing a dependency called 'plain cryptojs'. This package could execute arbitrary code, steal credentials, local files, and cloud provider secrets (AWS, GCP). The issue was discovered and patched within 3-4 hours. The incident highlights the importance of npm lock files and caution around installing newly released package versions immediately.