Post Mortem: axios NPM supply chain compromise (github.com)

Axios says attackers briefly published two malicious npm versions (axios 1.14.1 and 0.30.4) after compromising the lead maintainer’s account via social engineering. The tampered packages pulled a rogue dependency (plain-crypto-js@4.2.1) that installed a remote access trojan on macOS, Windows, and Linux, and the versions were live for about three hours before removal. The post-mortem urges users who installed during the affected window (or who see the packages in their lockfile) to treat systems as compromised, remove the dependency, rotate credentials, and review network logs; it also outlines security changes such as using OIDC/immutable release processes and tightening GitHub Actions.