Feross Aboukhadijeh, from the security company Socket Security, has discovered a potential security risk: a supply chain issue within Axios, a widely used package on npm.
As a crypto investor, I’ve been learning a lot about the tech behind these projects, and I keep running into something called NPM. It stands for Node Package Manager, and honestly, it’s like the biggest library of free, pre-built code for JavaScript – we’re talking over two million pieces! From what I gather, it’s absolutely essential for building most of the Web3 applications we see today – you could even say it’s the foundation for a lot of it.
Feross reports that the newest version of axios (1.14.1) is unexpectedly including a package called plain-crypto-just@4.2.1, which wasn’t around before today. This strongly indicates a potential security breach.
This is a dangerous piece of malware disguised as a common software component. Axios, a popular tool with over 100 million weekly downloads, has been compromised. Anyone currently installing the latest version of Axios could be affected. Security analysis from Socket AI confirms it’s malware, and ‘plain-crypto-js’ appears to be a hidden program that downloads and installs further malicious software.
This harmful software can do many things, like erase or rename files after running to hide its tracks. It also copies files needed to operate into temporary system folders and can then run commands. Essentially, it tries to cover its tracks and establish itself on your computer.
CRITICAL: Active supply chain attack on axios — one of npm’s most depended-on packages.
A recent update to axios (version 1.14.1) has unexpectedly added a package called plain-crypto-js (version 4.2.1), which wasn’t included before. This is considered a serious security risk.
This is textbook supply chain installer malware. axios…
— Feross (@feross) March 31, 2026
Developers using axios should immediately lock down their current version and check for any security vulnerabilities in their project’s dependencies. It’s best to avoid updating axios until further notice.
Read More
- Looks Like SEGA Is Reheating PS5, PS4 Fan Favourite Sonic Frontiers in Definitive Edition
- Pluribus Star Rhea Seehorn Weighs In On That First Kiss
- Dune 3 Gets the Huge Update Fans Have Been Waiting For
- Kelly Osbourne Slams “Disgusting” Comments on Her Appearance
- Gold Rate Forecast
- Tomodachi Life: Living the Dream ‘Welcome Version’ demo now available
- Arknights: Endfield – Everything You Need to Know Before You Jump In
- ‘If You Found It Boring, This Won’t Change That’: Starfield’s PS5 Port to Be Revealed Soon, But Don’t Expect Major Reinvention
- Korean fantasy action adventure game Woochi the Wayfarer announced for PS5, Xbox Series, and PC
- Disney Promotes Thomas Mazloum To Lead Parks and Experiences Division As Josh D’Amaro Prepares To Become CEO
2026-03-31 07:40