Compromised npm Maintainer Account Publishes Malicious Axios Versions with Backdoor via `plain-crypto-js` Dependency

Introduction: The Axios Compromise Yesterday, the npm ecosystem was jolted by the discovery of malicious versions of Axios (1.14.1 and 0.30.4) , published through a compromised maintainer account . These versions bypassed the standard GitHub Actions release pipeline, introducing a backdoor via the plain-crypto-js dependency . The mechanism of compromise is straightforward: the attacker exploited weak account security to inject malicious code into the package, which then propagates through dependency resolution during installation. How the Backdoor Works The plain-crypto-js dependency acts as a trojan horse . When Axios 1.14.1 or 0.30.4 is installed, npm’s dependency resolver fetches plain-crypto-js , which contains obfuscated code designed to exfiltrate sensitive data . The causal chain is clear: compromised account → malicious package publication → dependency injection → data exfiltration. This attack leverages npm’s trust model, where maintainers’ credentials are the primary gatekeep