Axios NPM Package Compromised in Supply Chain Attack
Malicious Axios npm releases prompted warnings for developers to rotate keys after a supply chain attack.Summary
Two malicious releases of the Axios npm package, [email protected] and [email protected], were compromised in a supply chain attack, leading security firms to urge developers to treat affected systems as fully compromised and immediately rotate all credentials, including API keys and session tokens. The compromise involved modifying the packages to pull in a malicious dependency, [email protected], which executed automatically during installation via a post-install script, potentially allowing attackers remote access to steal sensitive data like login credentials and crypto wallet information. This incident underscores the significant risk posed by single compromised open-source components rippling across numerous applications.
(Source:Cointelegraph)