ak1

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

Imagine CEO of a security firm showcasing 6 of his "best" auditors running an 11-week audit and missing 11 highs, 17 meds, then running it as a success story for their automated scanning tool. All these finds are superhuman? Prove it. Humans didn't have time to find them? Then you heavily underscoped required effort. Doesn't strike as a confidence booster to clients paying deep 6-figures for an audit and expecting reasonable coverage. At TrustSec we'd rather lose the deal than ship a report we can't defend, but maybe that's just us.