Active Supply Chain Attack on axios 1.14.1

  • Posted 4 hours ago by lemax
  • 16 points
axios@1.14.1, published 2026-03-31, introduces a new dependency plain-crypto-js@4.2.1 that was not present in axios@1.14.0. This package is malicious — it contains an obfuscated postinstall script (setup.js) that downloads and executes a remote payload.

Evidence

axios@1.14.0 dependencies: follow-redirects, form-data, proxy-from-env (3 deps)

axios@1.14.1 dependencies: same 3 + plain-crypto-js (new, not in any prior axios version)

plain-crypto-js has "postinstall": "node setup.js" in its scripts

setup.js is heavily obfuscated — it decodes base64 strings, writes scripts to the OS temp directory, executes them via shell (macOS) or PowerShell (Windows), then deletes itself

1 comments

    Loading..