A hacker briefly delivered malware this week through a popular open-source project for software developers that has an estimated 100 million weekly downloads, raising the possibility of compromises spreading widely through a supply-chain attack.
Axios is a JavaScript client library used in web requests. The unknown attacker hijacked the npm account — npm being a package manager for JavaScript — of the lead axios maintainer, and then published malicious versions of axios with remote access trojans to npm. That happened on Sunday night going into Monday morning, cybersecurity firm
Huntress said, before the poisoned versions were pulled.
Aikido, another security firm, called it “one of the most impactful npm supply chain attacks on record.” Researchers at a large number of cyber companies have sounded alarms about the attack, including
Step Security,
Socket,
Endor Labs and others.
cyberscoop.com