Supply Chain Attack on Axios Pulls Malicious Dependency from npm

A supply chain attack on the popular HTTP client Axios introduced a malicious dependency through specific npm releases, notably [email protected] and [email protected], by incorporating the compromised package [email protected]. This attack involved deploying a remote access trojan capable of executing commands, exfiltrating data, and maintaining persistence on infected systems. Discrepancies in the release process, such as the absence of a GitHub tag for the affected Axios version and the use of a long-lived npm token, suggest the package may have been published outside standard procedures. The malicious package was swiftly identified by Socket's malware detection, and efforts are now focused on revoking tokens, tightening publish controls, and restoring a secure release pipeline. The attack was sophisticated, employing a multi-stage payload delivery with platform-specific scripts and advanced obfuscation techniques to evade detection. This incident highlights the potential for a single compromised dependency to rapidly spread through the ecosystem, impacting numerous projects.