"The attackers swapped the account's email address for an anonymous ProtonMail inbox and pushed the infected packages manually via the npm CLI, completely bypassing the project's GitHub Actions CI/CD pipeline and the safeguards developers tend to assume are in place."
"The added package, plain-crypto-js@4.2.1, existed purely as a delivery mechanism. Its post-install script phones home, fetches a second-stage payload, and sets about dropping malware tailored to whatever it finds."
The npm library axios was compromised when attackers hijacked a maintainer's account, injecting a remote-access trojan into two releases. The malicious versions, axios@1.14.1 and axios@0.30.4, were published before being removed, affecting developers and CI pipelines. The attackers bypassed standard security measures by using a compromised account to publish the infected packages directly. The added dependency, plain-crypto-js@4.2.1, served as a delivery mechanism for malware, which operated differently across operating systems to avoid detection.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]