The vulnerability disclosed by the researcher from OneKey Anzen
marimo-team.notion.site/Security-Relea…
English
OneKey Anzen
12 posts
OneKey Anzen
@OneKey_Anzen
The Security Lab at OneKey.
/dev/null Katılım Ekim 2022
3 Takip Edilen332 Takipçiler
⚠️ Axios supply chain attack notice:
Axios is one of the most popular HTTP client libraries for JavaScript/Node.js.
AI tools like Cursor, Copilot, and Claude often generate npm i axios without pinning a version, which can install the malicious 1.14.1 or 0.30.4.
Quick actions:
> Check package.json and your lockfile
> Safe versions: 1.14.0 (1.x) / 0.30.3 (0.x)
> If affected, treat the machine as compromised and rotate all keys/credentials immediately
OneKey security team has reviewed all our repos — we are not impacted. We use strict version pinning across projects.
Supply chain attacks are rising. Pin your dependencies.
Feross@feross
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
English
OneKey Anzen is the Security Lab at @OneKeyHQ. Follow us to get the the latest news from our research👊😎
English