A supply chain attack has compromised the Axios npm package by introducing a malicious dependency, plain-crypto-js@4.2.1, published just minutes before the affected Axios release. The compromised versions (axios@1.14.1 and axios@0.30.4) do not appear in Axios's official GitHub tags, suggesting the publish occurred outside the normal release workflow. Socket's automated detection flagged the malicious package within minutes. Developers should immediately check their dependencies and lockfiles for these versions and roll back to a known safe version if found.
Table of contents
Release Appears Outside Normal Axios Workflow #Malicious Dependency Published Minutes Earlier #Suspicious Publisher Activity #What to do now #Sort: