@rxerium Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
saad62
21 posts
saad62
@worstrbx
Creator of SupplyGuard AI | Hunting the Axios v1.14.1 Phantom Breach | Open Source Security Researcher. Check your project: https://t.co/d6duQSLTUU
Katılım Ocak 2026
2 Takip Edilen0 Takipçiler
🚨 Axios was hit by a supply chain attack in the early hours of this morning.
I'm currently hunting affected repos on GitHub, here is what I have so far:
Vulnerable versions (via package.json):
github.com/search?q=%2F%5…
Presence of plain-crypto-js:
github.com/search?q=plain…
Full technical analysis from StepSecurity:
stepsecurity.io/blog/axios-com…
English
@WhichbufferArda Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
🚨 Axios supply chain attack is a big oopsie. By "oopsie" I mean someone just backdoored one of the most popular npm packages with 100M weekly downloads 🙃
What happened:
• Hijacked maintainer's npm account, swapped email to attackers ProtonMail
• Published axios@1.14.1 & axios@0.30.4 within 39 mins • Injected fake dependency plain-crypto-js
• Postinstall drops cross-platform RAT
• Malware mirrors DPRK's WAVESHAPER backdoor
🔴 IOCs:
C2: 142.11.206[.]73:8000
Domain: sfrclak[.]com
URL: hxxp://sfrclak[.]com:8000/6202033
macOS RAT SHA256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
User-Agent: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)
English
@vedantdotrpm @Fried_rice Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
Things That Happened in Tech in the Last Couple of Weeks
- Axios npm Package Compromised in Supply Chain Attack (RAT via Dependency)
- Telegram Zero-Click Exploit Enables Full Device Takeover via Stickers
- AI-Powered Phishing Campaigns Rapidly Increasing in Sophistication
- Prompt Injection Vulnerability Exposes Data in AI Systems
- Microsoft Copilot Introduces Multi-Model Verification for Safer Outputs
- Security Experts Warn Against Risks of “Vibe Coding” with AI
- OkCupid Faces Backlash Over Sharing User Data with AI Firm
- iPhone Child Safety Feature Bug Locks Users into Restricted Mode
- Surge in Zero-Day Exploits Targeting Enterprise Systems
- Claude AI Identifies Hundreds of Zero-Day Vulnerabilities in Open Source
If you're a developer and this doesn't concern you, you're not paying attention.
English
Claude code source code has been leaked via a map file in their npm registry!
Code: …a8527898604c1bbb12468b1581d95e.r2.dev/src.zip
English
@morganlinton Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
For anyone trying to determine if they were impacted by the axios/npm supply chain attack.
I just built a little security scanner, in Rust 🦀
Free and open source, super quick and easy way to scan a repo and make sure you're in good shape.
Link to GH repo in first comment below.
English
@momika233 Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
1. The attacker tampered with axios@1.14.1 and implanted the malicious dependency plain-crypto-js@4.2.1 (disguised as crypto-js)
2. Automatically trigger malicious scripts when installing the latest version through npx to achieve cross-platform persistence control attack chain
3. Covers three platforms: Windows / macOS / Linux, with strong confrontation and self-destruction features
At present, npm official and security community have not issued an official announcement, please check yourself immediately!
English
@Anubhavhing Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
AI didn't cause the axios supply chain attack. But it created the perfect conditions for it.
More people shipping code than ever. More agents installing packages no one reviews. More dependencies no one reads.
Attackers didn't get smarter. The attack surface just got 10x bigger.
Feross@feross
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
English
@feross @SocketSecurity Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
@SocketSecurity UPDATE in case you missed it earlier: This is bigger than initially reported. Both axios@1.14.1 AND axios@0.30.4 were compromised – the attacker poisoned the 1.x and 0.x branches within 39 minutes of each other, maximizing blast radius across projects using caret ranges.
English
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.
The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
• Deobfuscates embedded payloads and operational strings at runtime
• Dynamically loads fs, os, and execSync to evade static analysis
• Executes decoded shell commands
• Stages and copies payload files into OS temp and Windows ProgramData directories
• Deletes and renames artifacts post-execution to destroy forensic evidence
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
English
@heliotsx Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
axios acabou de sofrer um supply chain attack
axios. a lib que tá em praticamente todo projeto javascript do planeta
e a gente já passou por algo parecido poucos meses atrás
o que eu aprendi: não importa o tamanho da lib, não importa quantos downloads por semana ela tem. se alguém comprometer uma dependência ou um maintainer, seu sistema inteiro vira vetor de ataque
e o pior? a maioria dos devs nem sabe o que tá rodando dentro do próprio node_modules
Luke Berry@LukeberryPi
🚨a biblioteca AXIOS foi comprometida, com 300 milhões de downloads semanais 🚨 se você tá acordando agora no Brasil você tem a chance de salvar o repositório da sua empresa pesquisa no seu lockfile por essas 2 versões: axios@1.14.1 axios@0.30.4 se estiverem presentes, pina uma versão específica abaixo (dependendo da major) e dá merge IMEDIATAMENTE npm install axios@1.14.0 npm install axios@0.30.3 o impacto disso vai ser catastrófico
Português
@IntCyberDigest @dez_ Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
‼️ Meet the guy almost everyone loves for alerting the axios devs about the supply chain attack.
He built a supply chain monitoring system last week, and was alerted within minutes of the axios compromise.
The world should be thanking Elastic Security's finest:
Joe @dez_
International Cyber Digest@IntCyberDigest
‼️ Meet the guy almost everyone hates for releasing a PoC for a MongoDB unauthenticated memory leak exploit dubbed Mongobleed the day after Christmas. This is allegedly the vulnerability used to breach Ubisoft, which led to the R6 chaos.
English
@shawnchauhan1 Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
The axios npm package was compromised today.
300 million weekly downloads. Malware injected via a hijacked maintainer account.
This is not a zero-day. It's a supply chain attack. The oldest trick in the book.
Every major language ecosystem has this exposure. A single trusted maintainer account is the attack surface.
If your stack touches axios: pin your version, audit your lockfiles, halt upgrades now.
The scarier version of this story is the one nobody noticed.
English
@_JohnHammond Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
🚨 NPM axios Supply Chain Attack 🚨 x.com/i/broadcasts/1…
English
🚨 Want to quickly check if you've been compromised by the Axios supply-chain attack?
Hari (@hrkrshnn) just shipped a free @claudeai skill for us 🙏
/plugin marketplace add cantinasec/plugins
/plugin install cantinasec@cantinasec-plugins
/reload-plugins
/cantinasec:axios
English
@port_dev Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
The axios attack would've been caught by a 7-day release age gate.
paste this into your AI agent:
"Read portdeveloper.github.io/supply-chain-p… and apply it "
It detects your package managers, sets up min-release-age, and installs a hook that checks every future install automatically.
English
@syedaquib77 Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
@wholyv Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
this is the worst day in the modern human history…
> axios attack occurred. 100M devices at risk of malware attack.
> claude code source code got leaked, people literally put it on github. which confirms maybe mythos will probably not be the best model.
> 4TB of secret data leaked from Mercor.
> opus consuming entire limits in two prompts.
> google announced how crypto is at severe risk after quantum made it possible to break crypto in just 10k qubits.
English
@feross Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
@vineetwts Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
This is how the Axios's Supply Chain Attack happened
- Lead maintainer's npm account was hacked
- Hacker obtained the npm access token
- Changed registered mail to `ifstap@proton.me`
- Published directly via CLI, bypassing CI/CD checks
- Throwaway account pre-staged attack (18h prior)
- plain-crypto-js@4.2.0 used as a clean decoy
- plain-crypto-js@4.2.1 → actual malicious payload
- Triggered via npm postinstall hook
- Installed cross-platform RAT:
- Connected to C2 → sfrclak.com:8000
- Self-destructed after execution
Feross@feross
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
English
@Star_Knight12 Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
🚨CRITICAL: Axios got hacked. here's what happened:
→ attacker hijacked a lead maintainer's npm account
→ swapped the email to an anonymous protonmail
→ bypassed GitHub Actions entirely
→ manually pushed axios@1.14.1 via npm CLI
the malicious version injects plain-crypto-js@4.2.1 a package that didn't exist before yesterday.
it's a full RAT dropper, one npm install and it:
→ runs a postinstall script silently
→ detects your OS (mac, windows, linux)
→ downloads a platform-specific payload
→ deletes itself after execution
→ replaces its own package.json with a clean decoy
you check your node_modules after, everything looks normal, but the damage is already done.
axios has 100M+ weekly downloads, this isn't some random package, it's in almost every JS project you've ever touched (including me)
if you use axios:
→ pin your version to 1.14.0 or below
→ audit your lockfiles right now
→ do NOT run npm install with latest
→ check if plain-crypto-js exists in your node_modules
this is the most sophisticated npm supply chain attack we've seen on a top-10 package.
stop trusting npm install blindly.
English
@SlowMist_Team Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
🚨 Another major supply chain incident 🚨
axios — one of the most widely used npm packages — has been compromised. Malicious versions axios@1.14.1 and axios@0.30.4 were published and are actively dropping malware.
The attack pulls in a newly created dependency plain-crypto-js@4.2.1, confirmed as a malicious loader: it executes obfuscated payloads, runs shell commands, and attempts to evade detection while wiping traces.
With 100M+ weekly downloads, this is a live, large-scale supply chain attack.
More details: stepsecurity.io/blog/axios-com…
Feross@feross
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
English
@Dhaval_B7 Standard tools (npm audit) are blind to the 'plain-crypto-js' phantom dependency used in this attack. I've built a 10-second CLI scanner to hunt these specific 2026 Axios patterns. Open source & free: github.com/saadgheh/Suppl…
English
🚨 #Axios npm supply chain attack: North Korean hackers hijacked the maintainer's account & pushed malicious versions 1.14.1 & 0.30.4 laced with a cross-platform Remote Access Trojan. Audit your locks now! 🔍
🔗 linkedin.com/posts/dhaval-b…
#SupplyChainSecurity #CyberSecurity #npm
English