★ Satire Wed, Jul 1, 2026 Instagram Tip Line
No. 361
Daily Gossip
Too Juicy to Ignore
All the hot gossip from around the world. All true!
Salacious News
Advertisement
technology · Exclusive

You Won’t Believe How Hackers Turned Axios Into a Trojan Horse Overnight

Stop the presses and pass the dry shampoo: Axios, the darling JavaScript HTTP client used by practically everyone and their front-end bestie, just became the center of a supply-chain scandal.

You Won’t Believe How Hackers Turned Axios Into a Trojan Horse Overnight
Photo illustration · Salacious News

Stop the presses and pass the dry shampoo: Axios, the darling JavaScript HTTP client used by practically everyone and their front-end bestie, just became the center of a supply-chain scandal. An unknown attacker hijacked the npm account of Axios’s lead maintainer and slipped out malicious releases that planted a remote access trojan—yes, a full-on RAT—right into unsuspecting installs.

Advertisement

Here’s the tea: late Sunday into early Monday, poisoned Axios versions hit npm before being yanked, but not before sending the security world into a group text meltdown. Huntress clocked the timing, Aikido called it “one of the most impactful npm supply chain attacks on record,” and researchers from Step Security, Socket, Endor Labs, and more started ringing alarm bells like it was New Year’s Eve.

Advertisement

Step Security traced the caper to two look-what-just-dropped versions—axios@1.14.1 and axios@0.30.4—that quietly added a dependency called plain-crypto-js@4.2.1. That add-on didn’t beautify anything; it acted as a loader, triggering a post-install script that deployed a cross-platform RAT targeting macOS, Windows, and Linux. Technically, there were “zero lines of malicious code inside axios itself”—the attacker simply exploited the dependency chain the way a reality star weaponizes a confessional. Socket’s Feross Aboukhadijeh dubbed it “textbook supply chain installer malware,” warning that any npm install pulling the latest during the window was potentially compromised.

And because every scandal needs a twist, the payload reportedly dodged static analysis, confused human reviewers, and even deleted or renamed artifacts to muddle forensics—like wiping the lipstick off the crime scene mirror. Step Security’s Ashish Kurmi called the operation “precision,” noting the malicious dependency was staged less than 24 hours ahead, with both bad releases pushed within the same hour. Aboukhadijeh called it a “live compromise” with a big potential blast radius.

Axios sees around 100 million weekly downloads, so even a short exposure is no small drama. SANS Institute’s Joshua Wright estimated the window could translate to roughly 600,000 downloads, with immediate credential scraping on install raising the stakes for downstream access. In plain terms: if your CI/CD pipeline grabbed the tainted versions, your secrets might have been invited to the wrong afterparty.

Damage control mode, darlings: experts advise pinning Axios to a safe known version, auditing and re-generating your lockfiles, and—this is important—do not upgrade to the latest until trusted advisories give the all-clear. Comb through CI caches and containers for the sneaky dependency, rotate credentials that might’ve been exposed, and monitor for suspicious outbound connections. Today’s lesson? Even the most popular packages can get compromised, so treat your dependency tree like a VIP guest list—strict, verified, and absolutely no plus-ones you didn’t invite.

Original article: CyberScoop ▸

Around the Web

Sponsored Links · powered by ad network

More in technology

Advertisement
technology · Exclusive

You Won’t Believe How Hackers Turned Axios Into a Trojan Horse Overnight

Stop the presses and pass the dry shampoo: Axios, the darling JavaScript HTTP client used by practically everyone and their front-end bestie, just became the center of a supply-chain scandal.

You Won’t Believe How Hackers Turned Axios Into a Trojan Horse Overnight

Stop the presses and pass the dry shampoo: Axios, the darling JavaScript HTTP client used by practically everyone and their front-end bestie, just became the center of a supply-chain scandal. An unknown attacker hijacked the npm account of Axios’s lead maintainer and slipped out malicious releases that planted a remote access trojan—yes, a full-on RAT—right into unsuspecting installs.

Advertisement

Here’s the tea: late Sunday into early Monday, poisoned Axios versions hit npm before being yanked, but not before sending the security world into a group text meltdown. Huntress clocked the timing, Aikido called it “one of the most impactful npm supply chain attacks on record,” and researchers from Step Security, Socket, Endor Labs, and more started ringing alarm bells like it was New Year’s Eve.

Advertisement

Step Security traced the caper to two look-what-just-dropped versions—axios@1.14.1 and axios@0.30.4—that quietly added a dependency called plain-crypto-js@4.2.1. That add-on didn’t beautify anything; it acted as a loader, triggering a post-install script that deployed a cross-platform RAT targeting macOS, Windows, and Linux. Technically, there were “zero lines of malicious code inside axios itself”—the attacker simply exploited the dependency chain the way a reality star weaponizes a confessional. Socket’s Feross Aboukhadijeh dubbed it “textbook supply chain installer malware,” warning that any npm install pulling the latest during the window was potentially compromised.

And because every scandal needs a twist, the payload reportedly dodged static analysis, confused human reviewers, and even deleted or renamed artifacts to muddle forensics—like wiping the lipstick off the crime scene mirror. Step Security’s Ashish Kurmi called the operation “precision,” noting the malicious dependency was staged less than 24 hours ahead, with both bad releases pushed within the same hour. Aboukhadijeh called it a “live compromise” with a big potential blast radius.

Axios sees around 100 million weekly downloads, so even a short exposure is no small drama. SANS Institute’s Joshua Wright estimated the window could translate to roughly 600,000 downloads, with immediate credential scraping on install raising the stakes for downstream access. In plain terms: if your CI/CD pipeline grabbed the tainted versions, your secrets might have been invited to the wrong afterparty.

Damage control mode, darlings: experts advise pinning Axios to a safe known version, auditing and re-generating your lockfiles, and—this is important—do not upgrade to the latest until trusted advisories give the all-clear. Comb through CI caches and containers for the sneaky dependency, rotate credentials that might’ve been exposed, and monitor for suspicious outbound connections. Today’s lesson? Even the most popular packages can get compromised, so treat your dependency tree like a VIP guest list—strict, verified, and absolutely no plus-ones you didn’t invite.

Original article: CyberScoop ▸

Around the Web

Sponsored ad network

More in technology

Addicts Scramble—Prime Day's Greatest Hits Refuse to Die
technology

Addicts Scramble—Prime Day's Greatest Hits Refuse to Die

NBC NewsSun, Jun 28, 2026
Elon Musk Just Pulled the Plug: Tesla’s Model S and X Are Over—Only About 600 Left Worldwide!
technology

Elon Musk Just Pulled the Plug: Tesla’s Model S and X Are Over—Only About 600 Left Worldwide!

ElectrekFri, Apr 3, 2026
OpenAI’s $122B Shockwave: The VIP Investor Guest List, eye-popping numbers, and the pre-IPO tea—spilled!
technology

OpenAI’s $122B Shockwave: The VIP Investor Guest List, eye-popping numbers, and the pre-IPO tea—spilled!

TechCrunchThu, Apr 2, 2026