jbz1h ago

๐Ÿšจ Supply Chain Attack on Axios Pulls Malicious Dependency from npm

๏ฝข The latest version pulls in [email protected], a package that Socket has confirmed as malicious. Our analysis shows the malicious package deploys a multi-stage payload, including a remote access trojan (RAT) capable of executing arbitrary commands, exfiltrating system data, and persisting on infected machines ๏ฝฃ

https://socket.dev/blog/axios-npm-package-compromised

#axios #github #supplychain #infosec

Supply Chain Attack on Axios Pulls Malicious Dependency from...

A supply chain attack on Axios introduced a malicious dependency, [email protected], published minutes earlier and absent from the projectโ€™s GitHu...

Socket
TechNadu1h ago

Axios supply chain attack โ†’ malicious npm package deployed cross-platform RAT.

Highly coordinated compromise of a top open-source dependency.

Source: https://www.technadu.com/axios-supply-chain-attack-deploys-cross-platform-rat/624880/

#Infosec #SupplyChain #DevSecOps

NewsletterTF1h ago

FUTURE OF TROPICAL PLANTATIONS UNCERTAIN AS LABOR CRISIS LOOMS

Why is there a labor crisis in tropical plantations for palm oil, cocoa, and coffee? Find out how low wages and poor conditions affect global supply chains.

#PlantationLabor, #PalmOilCrisis, #CocoaSupply, #CoffeeShortage, #SupplyChain

https://newsletter.tf/tropical-plantation-labor-crisis-threatens-supply/

NewsletterTF1h ago

The future of palm oil, cocoa, and coffee is uncertain due to a major labor shortage. This is a bigger problem than last year's supply chain issues.

#PlantationLabor, #PalmOilCrisis, #CocoaSupply, #CoffeeShortage, #SupplyChain
https://newsletter.tf/tropical-plantation-labor-crisis-threatens-supply/

Tropical Plantation Labor Crisis Threatens Palm Oil, Cocoa, Coffee Supply

Why is there a labor crisis in tropical plantations for palm oil, cocoa, and coffee? Find out how low wages and poor conditions affect global supply chains.

NewsletterTF
Taffer ๐Ÿ‡จ๐Ÿ‡ฆ1h ago

Another day, another npm supply chain attack. https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

#NodeJS #npm #Security #SupplyChain

axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity

Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.

sayzard2h ago

Deedy (@deedydas)

vibecoding ํ™˜๊ฒฝ์—์„œ๋Š” axios, litellm, xz์ฒ˜๋Ÿผ ๊ณต๊ธ‰๋ง ๊ณต๊ฒฉ์ด ์ ์  ๋” ํ”ํ•ด์งˆ ๊ฒƒ์ด๋ผ๋Š” ๊ฒฝ๊ณ ์ž…๋‹ˆ๋‹ค. ์ฝ”๋“œ๋ฅผ ๊นŠ๊ฒŒ ์ดํ•ดํ•˜์ง€ ์•Š๊ณ ๋„ ๊ฐœ๋ฐœํ•˜๋Š” ๋ฐฉ์‹์ด ๊ณต๊ฒฉ์ž์—๊ฒŒ๋„ ์œ ๋ฆฌํ•˜๊ฒŒ ์ž‘์šฉํ•  ์ˆ˜ ์žˆ์–ด, AI ๊ธฐ๋ฐ˜ ๊ฐœ๋ฐœ ๋„๊ตฌ ์‚ฌ์šฉ ์‹œ ์˜์กด์„ฑ ๊ฒ€์ฆ๊ณผ ๋ณด์•ˆ ์ ๊ฒ€์ด ๋”์šฑ ์ค‘์š”ํ•ด์กŒ๋‹ค๋Š” ์ ์„ ๊ฐ•์กฐํ•ฉ๋‹ˆ๋‹ค.

https://x.com/deedydas/status/2038834655697490156

#vibecoding #supplychain #security #llm #opensource

Deedy (@deedydas) on X

Supply chain attacks like the currently breaking axios, litellm and xz are only going to be more commonplace in the vibecoding world. The entire premise of vibecoding is โ€œI donโ€™t need to understand the codeโ€ happens to also be the entire premise of a supply chain attack.

X (formerly Twitter)
sayzard2h ago

Simon Willison (@simonw)

NPM ์˜์กด์„ฑ์— axios๋ฅผ ์‚ฌ์šฉ ์ค‘์ด๋ผ๋ฉด ์•ˆ์ „ํ•œ ๋ฒ„์ „์œผ๋กœ ๊ณ ์ •ํ–ˆ๋Š”์ง€ ํ™•์ธํ•ด์•ผ ํ•œ๋‹ค๋Š” ๊ฒฝ๊ณ ์ž…๋‹ˆ๋‹ค. axios๋ฅผ ๋Œ€์ƒ์œผ๋กœ ํ•œ ์ถ”๊ฐ€์ ์ธ ๊ณต๊ธ‰๋ง ๊ณต๊ฒฉ ๊ฐ€๋Šฅ์„ฑ์ด ์ œ๊ธฐ๋˜๋ฉฐ, ๊ฐœ๋ฐœ์ž๋“ค์€ ์ฆ‰์‹œ ๋ฒ„์ „ ์ž ๊ธˆ๊ณผ ๋ณด์•ˆ ์ ๊ฒ€์„ ์ง„ํ–‰ํ•˜๋Š” ๊ฒƒ์ด ๊ถŒ์žฅ๋ฉ๋‹ˆ๋‹ค.

https://x.com/simonw/status/2038814487588000100

#axios #npm #supplychain #security #dependency

Simon Willison (@simonw) on X

If you have NPM package axios in your dependencies you need to make sure it's pinned to a known safe version, sounds like there's another supply chain attack in play

X (formerly Twitter)
sayzard2h ago

Feross (@feross)

npm์—์„œ ๊ฐ€์žฅ ๋งŽ์ด ์‚ฌ์šฉ๋˜๋Š” ํŒจํ‚ค์ง€ ์ค‘ ํ•˜๋‚˜์ธ axios์—์„œ ๊ณต๊ธ‰๋ง ๊ณต๊ฒฉ์ด ๋ฐœ์ƒํ•œ ๊ฒƒ์œผ๋กœ ๋ณด์ž…๋‹ˆ๋‹ค. ์ตœ์‹  [email protected]์ด ์˜ค๋Š˜ ์ฒ˜์Œ ๋“ฑ์žฅํ•œ [email protected]์„ ๋ถˆ๋Ÿฌ์˜ค๋ฉฐ, ์„ค์น˜ ๊ณผ์ •์— ์•…์„ฑ์ฝ”๋“œ๊ฐ€ ํฌํ•จ๋œ ์ •ํ™ฉ์ด ํ™•์ธ๋์Šต๋‹ˆ๋‹ค. ์ฆ‰์‹œ ์˜ํ–ฅ ๋ฒ„์ „ ์‚ฌ์šฉ ์—ฌ๋ถ€๋ฅผ ์ ๊ฒ€ํ•˜๊ณ  ์•ˆ์ „ํ•œ ๋ฒ„์ „์œผ๋กœ ๊ณ ์ •ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

https://x.com/feross/status/2038807290422370479

#axios #npm #supplychain #malware #security

Feross (@feross) on X

๐Ÿšจ CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios

X (formerly Twitter)
Andrey [0xdc, 0x09];2h ago
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

#infosec #js #web #axios #supplychain
axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity

Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.

Gonรงalo Valรฉrio3h ago

"axios Compromised on npm - Malicious Versions Drop Remote Access Trojan"

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

Just another Tuesday. Developing software is becoming a riskier business by the day.

#npm #javascript #nodejs #security #supplychain

axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity

Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.