One of JavaScript’s most popular modules has been compromised

Popular JS packages axios@1.14.1 and axios@0.30.4 are compromised.

This is pretty wild. Axios is pretty much the standard for making requests from any JavaScript application. It’s literally everywhere, executing trillions of times a day across millions of servers and in browsers everywhere… and it has been compromised.

And to make things worse, there isn't even a malicious line of code checked into the Axios repository.

It was a malicious dependency that was never actually imported anywhere, called plain-crypto-js@4.2.1, which has since been taken down. I really wanted to see that source code.

Evidently, there was an NPM post-install script that ran and installed a cross-platform remote access trojan.

This is crazier because it's bad on production, but if you ran an NPM install locally, not in a container, then it could do a lot of damage as well.

Luckily, it seems it was found pretty quickly, but the dev community still went wild over it. This could have been and possibly still is really bad.

It's always an odd feeling to have such disdain for the malicious parties that pull this crap while at the same time admiring the creativity and craftsmanship it takes to pull something like this off.

Bottom line: If you are using Axios, double-check your dependencies pronto. If you have any machines that this ran on, you will likely need to wipe them and cycle all credentials those machines had access to. You don’t want this stuff running on your servers.

As per usual, Fireship did a great video on this that you should all check out.