Two malicious Axios npm releases have prompted warnings for developers to rotate credentials and treat affected systems as compromised after a supply chain attack poisoned the popular JavaScript HTTP client library.
The compromise was first reported by cybersecurity company Socket, which said axios@1.14.1 and axios@0.30.4 were modified to pull in plain-crypto-js@4.2.1, a malicious dependency that ran automatically during installation before the releases were removed from npm.
According to security company OX Security, the altered code can give attackers remote access to infected devices, allowing them to steal sensitive data such as login credentials, API keys and crypto wallet information.
The incident shows how a single compromised open-source component can potentially ripple across thousands of applications that rely on it, exposing not just developers but also platforms and users connected to the system.
Security companies urge key rotation, system audits
OX Security warned developers who installed axios@1.14.1 or axios@0.30.4 to treat their systems as fully compromised and immediately rotate credentials, including API keys and session tokens.
Socket said the compromised Axios releases were modified to include a dependency on plain-crypto-js@4.2.1, a package published shortly before the incident and later identified as malicious.
**Related: **__Trust Wallet browser extension knocked offline by Chrome Store ‘bug,’ CEO says
The company said the dependency was configured to run automatically during installation through a post-install script, allowing attackers to execute code on target systems without additional user interaction.
Socket advised developers to review their projects and dependency files for the affected Axios versions and the associated plain-crypto-js@4.2.1 package, and to remove or roll back any compromised versions immediately.
Earlier crypto incidents highlight supply chain risks
Earlier crypto incidents have shown how supply chain breaches can escalate from stolen developer information to user-facing wallet losses.
On Jan. 3, onchain investigator ZachXBT reported that “hundreds” of wallets across Ethereum Virtual Machine-compatible networks were drained in a broad attack that siphoned small amounts from each victim.
Cybersecurity researcher Vladimir S. said the incident was potentially linked to a December breach affecting Trust Wallet, which resulted in roughly $7 million in losses across over 2,500 wallets.
Trust Wallet later said the breach may have originated from a supply chain compromise involving npm packages used in its development workflow.
**Magazine: **__Nobody knows if quantum secure cryptography will even work
Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently. Read our Editorial Policy
- #Blockchain
- #Security
- #Hackers
- #Cybersecurity
- #Hacks
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Curve Finance Suspends LayerZero Infrastructure Following rsETH Hack
Curve Finance has temporarily suspended its LayerZero infrastructure due to a security incident involving rsETH. The protocol is investigating the issue, affecting certain cross-chain bridging operations while others continue as normal.
GateNews37m ago
KelpDAO Exploiter Borrows $195M ETH from Aave, TVL Drops $6.28B as Whales Withdraw
Gate News message, the KelpDAO exploiter borrowed over 82,600 ETH ($195M) from Aave using RSETH as collateral, resulting in bad debt appearing on Aave. Following this incident, numerous whales withdrew funds from Aave, causing its TVL to decline from $26.396B to $20.114B, a decrease of $6.28B.
GateNews3h ago
Monad Co-Founder Suggests Dynamic Caps on Collateral Deposits to Mitigate Hacking Risks
Keone Hon suggests that pooled lending protocols should implement gradual rate limits on collateral asset increases to mitigate risks during hacks. He argues this could have prevented significant losses, as seen with rsETH depositors.
GateNews6h ago
Hong Kong Police Warn of 'AI Quantitative Trading' Crypto Scam, Woman Loses HK$7.7 Million
Hong Kong police revealed a cryptocurrency fraud where a woman lost HK$7.7 million to scammers posing as investment experts via Telegram, promising high returns through AI trading. The police warned the public of the risks associated with cryptocurrency investments.
GateNews7h ago
Morpho Pauses MORPHO OFT Cross-Chain Bridge on Arbitrum Following Kelp DAO and LayerZero Events
Morpho Association has temporarily suspended the OFT cross-chain bridge for MORPHO tokens on Arbitrum due to recent issues with Kelp DAO and LayerZero Bridge, pending confirmation of the rsETH incident's cause.
GateNews7h ago
Kamino Pauses LayerZero-Related Asset Interactions, Closes Deposit and Lending Functions
Kamino has temporarily suspended interactions with LayerZero-related tokens as a precaution, while allowing withdrawals and debt repayments. They emphasize that this measure is for risk management and that user funds are safe.
GateNews12h ago
