Supply chain attack targets axios package

A supply chain attack has compromised axios version 1.14.1, which silently pulls in [email protected] as a dependency. This package is an obfuscated RAT (Remote Access Trojan) dropper. NPM has pulled the malicious version, but developers who installed it during the window of vulnerability may be infected.

AI-assisted development workflows at risk

The attack specifically targets developers using AI coding assistants like Claude. The source notes that with AI coding, developers often let the AI handle package installation without checking package.json diffs or auditing what dependencies are being pulled in. Attackers are exploiting this trust in automated workflows where developers scaffold projects and run installs without manual verification.

Immediate detection and remediation steps

Run these commands to check for infection:

# Check your lockfile
grep -r "plain-crypto-js" package-lock.json
grep -r "[email protected]" package-lock.json

Check for persistence artifacts
ls -la /library/caches/com.apple.act.mond  # macOS
ls /tmp/ld*  # Linux

If you find the malicious package:

• Roll back to [email protected] immediately
• Rotate all keys and credentials (AWS credentials, API keys, etc.)
• Audit all lockfiles in your projects

Preventive measures

The source recommends pinning versions and manually auditing what dependencies AI assistants are pulling in. Developers should slow down on automated installs and actually read what packages are being added to their projects.