Feross Aboukhadijeh, from the security company Socket Security, has discovered a potential security risk: a supply chain issue within Axios, a widely used package on npm.
As a crypto investor, I’ve been learning a lot about the tech behind these projects, and I keep running into something called NPM. It stands for Node Package Manager, and honestly, it’s like the biggest library of free, pre-built code for JavaScript – we’re talking over two million pieces! From what I gather, it’s absolutely essential for building most of the Web3 applications we see today – you could even say it’s the foundation for a lot of it.
Feross reports that the newest version of axios (1.14.1) is unexpectedly including a package called plain-crypto-just@4.2.1, which wasn’t around before today. This strongly indicates a potential security breach.
This is a dangerous piece of malware disguised as a common software component. Axios, a popular tool with over 100 million weekly downloads, has been compromised. Anyone currently installing the latest version of Axios could be affected. Security analysis from Socket AI confirms it’s malware, and ‘plain-crypto-js’ appears to be a hidden program that downloads and installs further malicious software.
This harmful software can do many things, like erase or rename files after running to hide its tracks. It also copies files needed to operate into temporary system folders and can then run commands. Essentially, it tries to cover its tracks and establish itself on your computer.
CRITICAL: Active supply chain attack on axios — one of npm’s most depended-on packages.
A recent update to axios (version 1.14.1) has unexpectedly added a package called plain-crypto-js (version 4.2.1), which wasn’t included before. This is considered a serious security risk.
This is textbook supply chain installer malware. axios…
— Feross (@feross) March 31, 2026
Developers using axios should immediately lock down their current version and check for any security vulnerabilities in their project’s dependencies. It’s best to avoid updating axios until further notice.
Read More
- 10 Most Powerful Versions of Superman, Ranked
- Gold Rate Forecast
- GBP CNY PREDICTION
- 007 First Light: Release Date, Story, Gameplay, Cast, Editions, and Platforms
- Forza Horizon 6 Car List So Far: Confirmed Highlights, Cover Cars, DLC, and Rewards
- Superman’s 7 Best Power-Ups, Ranked
- DOGE PREDICTION. DOGE cryptocurrency
- What happened to Soldier Boy in The Boys?
- Kingdom Come Deliverance Update 1.002 Enables Trophies to Be Transferred
- 10 Greatest Wii U Games of All Time, Ranked
2026-03-31 07:40