Axios npm hit by supply chain attack: Rotate your keys now

• Security alerts have been issued for the popular JavaScript HTTP client library Axios following a supply chain attack.
• Axios versions 1.14.1 and 0.30.4 were identified as compromised and containing malicious code.
• Developers and users are urged to immediately rotate all API keys, login credentials, and session tokens used in affected environments.

Discovery of the Malicious Releases

Cybersecurity firms Socket and OX Security recently flagged two compromised releases of the widely used npm package Axios. The versions in question, axios@1.14.1 and axios@0.30.4, were modified to include a malicious dependency known as plain-crypto-js@4.2.1. This dependency was published just shortly before the attack and was designed to execute automatically during the installation process through a post-install script.

According to OX Security, the altered code provides attackers with remote access to infected devices. This unauthorized access allows for the theft of sensitive data, including:

• Login credentials and session tokens
• API keys used for various services
• Cryptocurrency wallet information

Impact and Recommendations for Developers

The incident highlights the vulnerability of the open-source ecosystem, where a single compromised component can impact thousands of downstream applications. Socket noted that because the malicious script runs without additional user interaction, any system that pulled these specific Axios versions should be treated as fully compromised.

Security experts recommend that developers review their project dependency files immediately. If the affected versions are found, they should be removed or rolled back to a known secure version. Furthermore, all credentials stored on or accessed by those systems must be rotated to prevent further exploitation.

History of Supply Chain Vulnerabilities

This breach follows a pattern of supply chain attacks targeting the cryptocurrency sector. On January 3, the onchain investigator ZachXBT reported that hundreds of wallets across Ethereum Virtual Machine (EVM) compatible networks were drained. Researchers like Vladimir S. have suggested these incidents may be linked to a December breach involving Trust Wallet.

That earlier compromise, which resulted in approximately $7 million in losses across more than 2,500 wallets, was also attributed to a supply chain issue involving npm packages. These events underscore the critical need for rigorous security audits of third-party libraries used in financial and blockchain applications.