Lucene search
K

4643 matches found

Talos Blog
Talos Blog
added 2026/04/03 5:31 p.m.4 views

Do not get high(jacked) off your own supply (chain)

In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. Prominent examples include the malicious modification of Axios, a popular HTTP client library for JavaScript, as well as cascading compromises from TeamPCP, a "chaos-as-a-service" group that injected...

5.9AI score
Exploits0
Talos Blog
Talos Blog
added 2026/04/03 5:0 p.m.6 views

Axios NPM supply chain incident

Cisco Talos is actively investigating the March 31, 2026 supply chain attack on the official Axios node package manager npm package during which two malicious versions v1.14.1 and v0.30.4 were deployed. Axios is one of the more popular JavaScript libraries with as many as 100 million downloads pe...

6.1AI score
Exploits0
The Hacker News
The Hacker News
added 2026/04/03 11:4 a.m.7 views

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

The maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated by North Korean threat actors tracked as UNC1069. Maintainer Jason Saayman said the attackers tailored their social engineering effor...

6AI score
Exploits0
OSV
OSV
added 2026/04/02 6:36 p.m.4 views

GHSA-3HFP-GQGH-XC5G Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions

Impact A supply chain attack on the axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency [email protected] that deploys a cross-platform remote access trojan RAT on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer's npm...

9.6CVSS6.2AI score
Exploits0References9
Github Security Blog
Github Security Blog
added 2026/04/02 6:36 p.m.7 views

Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions

Impact A supply chain attack on the axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency [email protected] that deploys a cross-platform remote access trojan RAT on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer's npm...

6.1AI score
Exploits0References9Affected Software1
OSV
OSV
added 2026/04/02 6:34 p.m.4 views

GHSA-658G-P7JG-WX5G Axios npm Supply Chain Incident Impacting @usebruno/cli

Impact This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran npm install between 00:21 UTC and 03:30 UTC on March 31, 2026 may have been...

9.8CVSS5.9AI score0.00234EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/04/02 6:34 p.m.13 views

Axios npm Supply Chain Incident Impacting @usebruno/cli

Impact This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran npm install between 00:21 UTC and 03:30 UTC on March 31, 2026 may have been...

9.8CVSS5.9AI score0.00234EPSS
Exploits0References7Affected Software1
NVD
NVD
added 2026/04/02 6:16 p.m.4 views

CVE-2026-34576

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...

8.3CVSS0.00267EPSS
Exploits1References2
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/02 3:45 p.m.3 views

Security Bulletin: IBM Langflow Desktop Axios Denial of Service

Summary Axios is used by IBM Langflow Desktop as part of its HTTP communication functionality in Node.js environments, enabling it to send and receive network requests to external services and APIs. A vulnerability in Axios affects how data: scheme URLs are handled by its Node.js HTTP adapter,...

7.5CVSS6.8AI score0.01099EPSS
Exploits1Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.8 views

PT-2026-29967

Name of the Vulnerable Software and Affected Versions @usebruno/cli versions installed between 00:21 UTC and 03:30 UTC on March 31, 2026 Description A supply chain attack involving compromised versions of the axios npm package introduced a hidden dependency deploying a cross-platform Remote Acces...

9.8CVSS6AI score0.00234EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.6 views

PT-2026-29908

Impact This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran npm install between 00:21 UTC and 03:30 UTC on March 31, 2026 may have been...

9.8CVSS5.9AI score
Exploits0References7
Microsoft Secure
Microsoft Secure
added 2026/04/01 9:0 p.m.7 views

Mitigating the Axios npm supply chain compromise

In this article 1. Analysis of the attack 2. Mitigation and protection guidance 3. Microsoft Defender detections 4. Indicators of compromise 5. Hunting queries On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP...

6.6AI score
Exploits0
Microsoft Secure
Microsoft Secure
added 2026/04/01 9:0 p.m.13 views

Mitigating the Axios npm supply chain compromise

In this article 1. Analysis of the attack 2. Mitigation and protection guidance 3. Microsoft Defender detections 4. Indicators of compromise 5. Hunting queries On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP...

6.6AI score
Exploits0
The Hacker News
The Hacker News
added 2026/04/01 7:44 a.m.6 views

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069. "We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analy...

6.5AI score
Exploits0
RedHat Linux
RedHat Linux
added 2026/03/31 4:12 p.m.3 views

axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig

A denial of service flaw has been discovered in the Axios npm package. the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via...

7.5CVSS6.7AI score0.02591EPSS
Exploits1References7
Malwarebytes
Malwarebytes
added 2026/03/31 2:53 p.m.5 views

Axios supply chain attack chops away at npm trust

Researchers found that compromised Axios versions installed a Remote Access Trojan. Axios is a promise-based HTTP Client for node.js, basically a helper tool that developers use behind the scenes to let apps talk to the internet. For example, Axios makes requests such as “get my messages from the...

5.9AI score
Exploits0
HackRead
HackRead
added 2026/03/31 1:49 p.m.5 views

Hackers Poison Axios npm Package with 100 Million Weekly Downloads

Axios npm Package compromised in a supply chain attack, exposing developers to malware, data theft, and full system takeover risks worldwide...

5.9AI score
Exploits0
Veracode
Veracode
added 2026/03/31 8:45 a.m.8 views

Prototype Pollution

Axios is vulnerable to Prototype Pollution. The vulnerability is due to the mergeConfig function crashing with a TypeError when processing configuration objects containing proto as an own property, where an attacker can trigger this by providing a malicious configuration object created via...

7.5CVSS7AI score0.02591EPSS
Exploits1References48Affected Software2
Wiz blog
Wiz blog
added 2026/03/31 8:26 a.m.5 views

Axios NPM Distribution Compromised in Supply Chain Attack

A compromised axios maintainer account led to malicious npm releases that propagated across environments. Learn how to assess impact, detect compromise, and secure your development workflows...

5.9AI score
Exploits0
The Hacker News
The Hacker News
added 2026/03/31 6:8 a.m.17 views

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency that delivers a trojan capable of targeting Windows, macOS, and Linux systems. Versions 1.14.1 and 0.30.4 of Axios have been found to...

6.6AI score
Exploits0
Rows per page
Query Builder