🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.
The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
• Deobfuscates embedded payloads and operational strings at runtime
• Dynamically loads fs, os, and execSync to evade static analysis
• Executes decoded shell commands
• Stages and copies payload files into OS temp and Windows ProgramData directories
• Deletes and renames artifacts post-execution to destroy forensic evidence
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
Keep it forever
Create a free account to save everything you preview — private to you.
Preview another link
Works with X, Instagram, TikTok & YouTube.
Keep it forever
Create a free account to save everything you preview — private to you.
Preview another link
Works with X, Instagram, TikTok & YouTube.
One place for everything
Tweets, TikToks, Reels, Shorts & articles in one searchable home.
Media at your fingertips
Full-screen viewer for photos and video — save any post to your collection.
Actually find it later
Full-text search across everything you save.
One place for everything
Tweets, TikToks, Reels, Shorts & articles in one searchable home.
Media at your fingertips
Full-screen viewer for photos and video — save any post to your collection.
Actually find it later
Full-text search across everything you save.