The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency.Versions 1.14.1 and 0.30.4 of Axios have been found to inject “plain-crypto-js” version 4.2.1 as a fake dependency.According to StepSecurity, the two versions were published using the compromised npm credentials of the primary Axios
First seen on thehackernews.com
Jump to article: thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
