Someone Sneaked a Malware Package Into npm's Most Popular HTTP Client

Heads up, degens: there's an active supply chain attack hitting Axios, and it's basically the Web3 equivalent of someone swapping your MetaMask for a lookalike that sends all your keys to Pyongyang.

According to Feross Aboukhadijeh, co-founder of Socket Security, the latest axios@1.14.1 is currently pulling in plain-crypto-js@4.2.1—a package that literally did not exist before today. That's not suspicious at all, right? Just a brand new dependency materializing out of thin air like a freshly minted meme coin with no roadmap.

Axios is one of npm's most depended-on packages, with over 100 million weekly downloads. For context, that's basically the entire JavaScript ecosystem doing a collective npm install every few seconds. It's basically the USDT of HTTP clients—everyone uses it, nobody admits to reading its source code, and now someone's trying to rugged it.

Socket's analysis confirms plain-crypto-js is an obfuscated dropper/loader. The malware can:

• Delete and rename artifacts post-execution to destroy forensic evidence
• Stage and copy payload files to OS temp and Windows ProgramData directories
• Execute decoded shell commands

Basically, it's doing everything a well-behaved piece of malware should do—except ask permission. Very Web2 of it, honestly. At least Web3 rug pulls come with a Discord announcement.

Feross recommends developers using axios immediately pin their versions and audit their lockfiles. Hold off on any updates until this gets sorted. Consider this your friendly reminder to actually read your package.json instead of just smashing npm install like it's a speedrun. Yes, we know that package.json is basically just a list of things you're trusting with your production environment. No, you probably haven't read most of them. That's the whole point of this chaos.