Axios npm library compromised by malicious dependency

A security incident has highlighted the risks of supply chain attacks in open-source software development. The compromise involved two releases of the Axios library on npm, a popular package manager for JavaScript.

The malicious dependency was designed to run automatically during installation and allow attackers to execute code on target systems without additional user interaction. This could potentially lead to remote access to infected devices and the theft of sensitive data such as login credentials, API keys, and crypto wallet information.

Developers who installed axios@1.14.1 or axios@0.30.4 are advised to treat their systems as fully compromised and immediately rotate credentials. This includes API keys and session tokens, which should be reviewed and replaced if necessary.

The incident is a reminder of the importance of secure development practices and regular audits of dependencies in open-source software. It also highlights the potential for supply chain breaches to escalate from stolen developer information to user-facing wallet losses.