North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.

Pulse ID: 69cd1d9aae74cc11b50ba18e
Pulse Link: https://otx.alienvault.com/pulse/69cd1d9aae74cc11b50ba18e
Pulse Author: AlienVault
Created: 2026-04-01 13:28:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Google #HTTP #InfoSec #Java #JavaScript #Korea #Linux #Mac #MacOS #NPM #NorthKorea #OTX #OpenThreatExchange #SupplyChain #Windows #bot #iOS #AlienVault

Axios Front-End Library npm Supply Chain Poisoning Alert

On March 31, NSFOCUS CERT detected that the npm repository of the HTTP client library Axios was poisoned by the supply chain. The attacker bypassed the normal GitHub Actions CI/CD pipeline of the project, changed the account email address of the axios maintainer to an anonymous ProtonMail address, and manually released a malicious version with a Trojan backdoor through the npm CLI. When the user installs it, a persistent remote control will be established on the host. The impact is wide-ranging, and relevant users are requested to take measures for investigation and protection as soon as possible.

Pulse ID: 69cd1aa5d630ea626fc62588
Pulse Link: https://otx.alienvault.com/pulse/69cd1aa5d630ea626fc62588
Pulse Author: AlienVault
Created: 2026-04-01 13:16:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Email #GitHub #HTTP #InfoSec #NPM #OTX #OpenThreatExchange #SupplyChain #Trojan #bot #iOS #AlienVault

x402 V2: Neues Protokoll macht HTTP-Zahlungen multichain-fähig und modularer

Das x402-Protokoll, das HTTP-Zahlungen direkt über den lange ungenutzten 402-Statuscode in bestehende HTTP-Infrastruktur einbettet, erhält mit Version 2 ein umfassendes technisches Upgrade. Seit dem Start im Mai 2025 wurden über 100 Millionen Transaktionen abgewickelt

https://www.all-about-security.de/x402-v2-neues-protokoll-macht-http-zahlungen-multichain-faehig-und-modularer/

#http

It's alive!

#AdaLang #HTTP

#Development #Reports
axios compromised on npm · Popular JavaScript HTTP client hit by supply chain attack https://ilo.im/16bt4y

_____
#Malware #JavaScript #HTTP #Library #Npm #Security #WebDev #Frontend #Backend

Populární knihovna axios byla krátce kompromitována na npm. Útočník získal přístup k maintainer účtu a publikoval škodlivé verze:

[email protected]

[email protected]

Jak útok fungoval

Nešlo o přímou úpravu kódu axiosu, ale o supply chain attack přes závislosti:

Útočník přidal do balíčku novou závislost:

[email protected]

Tento balíček obsahoval škodlivý […]

heise+ | Rasante WordPress-Seiten mit Vinyl Cache

Langsame Websites nerven Nutzer und ausgerechnet das populäre CMS WordPress ist nicht für schnellen Seitenaufbau bekannt. Vinyl Cache schafft Abhilfe.

https://www.heise.de/ratgeber/Rasante-WordPress-Seiten-mit-Vinyl-Cache-11212955.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#HTTP #IT #Webserver #Wordpress #news

🎉 urllib3-docs-l10n is published!

🚀 Preview:

https://projects.localizethedocs.org/urllib3-docs-l10n

🌐 Crowdin:

https://localizethedocs.crowdin.com/urllib3-docs-l10n

🐙 GitHub:

https://github.com/localizethedocs/urllib3-docs-l10n

#Crowdin #GitHub #Sphinx #Python #Urllib3 #HTTP

TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM

TeamPCP launched a sophisticated attack on the Telnyx Python SDK, publishing malicious versions 4.87.1 and 4.87.2 to PyPI. The attack represents an evolution from their previous LiteLLM campaign, incorporating WAV-based steganography, split-file code injection, and expanded platform support. The payload, activated on import, uses stealthy techniques to download and execute credential-stealing malware across Linux, macOS, and Windows systems. Key changes include the use of audio steganography to hide malicious code, improved evasion through split-file injection, and the addition of Windows support with Startup folder persistence. The attackers shifted from HTTPS to plaintext HTTP infrastructure, potentially exposing their activities to network monitoring. Organizations are advised to downgrade to the last clean version and treat affected systems as compromised.

Pulse ID: 69cabb96c63dbeb412355267
Pulse Link: https://otx.alienvault.com/pulse/69cabb96c63dbeb412355267
Pulse Author: AlienVault
Created: 2026-03-30 18:06:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CodeInjection #CyberSecurity #HTTP #HTTPS #ICS #InfoSec #Linux #Mac #MacOS #Malware #OTX #OpenThreatExchange #PyPI #Python #RAT #Steganography #Windows #bot #AlienVault