{"id":"2038807290422370479","url":"https://x.com/feross/status/2038807290422370479","text":"🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.\n\nThe latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise.\n\nThis is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.\n\nSocket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:\n\n• Deobfuscates embedded payloads and operational strings at runtime\n• Dynamically loads fs, os, and execSync to evade static analysis\n• Executes decoded shell commands\n• Stages and copies payload files into OS temp and Windows ProgramData directories\n• Deletes and renames artifacts post-execution to destroy forensic evidence\n\nIf you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.","author":{"name":"Feross","username":"feross","avatarUrl":"https://pbs.twimg.com/profile_images/2000275022666190848/1EeM5zAj_200x200.jpg"},"createdAt":"Tue Mar 31 02:35:11 +0000 2026","engagement":{"replies":541,"retweets":4028,"likes":16185,"views":12395714},"adhxContext":{"savedByCount":1,"publicTags":[],"previewUrl":"https://adhx.com/feross/status/2038807290422370479"}}