Taggart1d ago

This is a big deal. Already seeing evidence of this by way of OpenClaw installations.

https://opensourcemalware.com/blog/axios-compromised

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

One of the most popular JavaScript packages on earth Axios has been compromised

The Axios NPM package has been compromised and the maintainer of the project has been locked out of their account. This will go down in history as one of the most successful software supply chain attacks ever

Show threadChristoffer S.

@mttaggart I'm thinking that this is too big... this must be more than what the attackers can handle, no?

It's absolutely bonkers in size, and the amount of affected orgs... it's hard to grasp the entirety of it all. Jesus fucking christ.

Mar 31 at 5:12amWeb
Show threadTaggart1d ago
@nopatience Luckily it's only a couple of versions, but still gnarly.
Show threadTaggart1d ago
@nopatience Exceeeept it's used in OpenClaw installs https://github.com/openclaw/openclaw/issues/58140
Show threadChristoffer S.23h ago

@mttaggart I guess... time will tell the impact this will have. But I can't help but think... how many will NOT know that they are affected? I mean... there's a lot of YOLO "coders" out there with absolutely zero idea of CI/CD security.

I mean... I'm probably close to being one of them. Fuck... I'm just like them. As a hobby coder I don't really have protection against this.

I don't pull new packages ... that's it, I have a 7 day limit on updating packages... anyway, I digress.

Show threadTaggart23h ago
@nopatience This is where tools like Trivy can help—oh wait
Show threadChristoffer S.23h ago

@mttaggart Imagine that... being more secure for not using vulnerbility scanners.

There's... a certain level of obvious irony in that.