The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency.
Versions 1.14.1 and 0.30.4 of Axios have been found to inject "plain-crypto-js" version 4.2.1 as a fake dependency.
According to StepSecurity, the two versions were published using the compromised npm credentials of the primary Axios



Source: TheHackerNews
Source Link: https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html