Feross Aboukhadijeh, from the security company Socket Security, has discovered a potential security risk: a supply chain issue within Axios, a widely used package on npm.
As a crypto investor, I’ve been learning a lot about the tech behind these projects, and I keep running into something called NPM. It stands for Node Package Manager, and honestly, it’s like the biggest library of free, pre-built code for JavaScript – we’re talking over two million pieces! From what I gather, it’s absolutely essential for building most of the Web3 applications we see today – you could even say it’s the foundation for a lot of it.
Feross reports that the newest version of axios (1.14.1) is unexpectedly including a package called plain-crypto-just@4.2.1, which wasn’t around before today. This strongly indicates a potential security breach.
This is a dangerous piece of malware disguised as a common software component. Axios, a popular tool with over 100 million weekly downloads, has been compromised. Anyone currently installing the latest version of Axios could be affected. Security analysis from Socket AI confirms it’s malware, and ‘plain-crypto-js’ appears to be a hidden program that downloads and installs further malicious software.
This harmful software can do many things, like erase or rename files after running to hide its tracks. It also copies files needed to operate into temporary system folders and can then run commands. Essentially, it tries to cover its tracks and establish itself on your computer.
CRITICAL: Active supply chain attack on axios — one of npm’s most depended-on packages.
A recent update to axios (version 1.14.1) has unexpectedly added a package called plain-crypto-js (version 4.2.1), which wasn’t included before. This is considered a serious security risk.
This is textbook supply chain installer malware. axios…
— Feross (@feross) March 31, 2026
Developers using axios should immediately lock down their current version and check for any security vulnerabilities in their project’s dependencies. It’s best to avoid updating axios until further notice.
Read More
- Trails in the Sky 2nd Chapter launches September 17
- After AI Controversy, Major Crunchyroll Anime Unveils Exciting Update
- PRAGMATA ‘Eight’ trailer
- How Could We Forget About SOL Shogunate, the PS5 Action RPG About Samurai on the Moon?
- Xbox Game Pass Users “Blown Away” by New Exclusive Game
- Dragon Quest Smash/Grow launches April 21
- Hulu Just Added One of the Most Quotable Movies Ever Made (But It’s Sequel Is Impossible To Stream)
- Why is Tech Jacket gender-swapped in Invincible season 4 and who voices her?
- Adam Levine Looks So Different After Shaving His Beard Off
- USD JPY PREDICTION
2026-03-31 07:40