【安全预警】2026-03-31 知名 JavaScript 请求库 Axios 遭遇 NPM 供应链投毒攻击
- 内容介绍
- 文章标签
- 相关推荐
更新
目前恶意包 plain-crypto-js@4.2.1 已被 npm 官方替换为空置状态
并且 axios 受影响版本已从 npm 注册表中删除
注意检查在恶意包存活期间(北京时间 2026-03-31 约上午 8 点到 11:30)是否进行过安装或 CI 构建操作
相关讨论
axios@1.14.1 and axios@0.30.4 are compromised
已打开 03:00AM - 31 Mar 26 UTC ashishkurmimore details: https://www.stepsecurity.io/blog/axios-compromised-on-npm-maliciou…s-versions-drop-remote-access-trojan Most likely, a maintainer's GitHub and npm accounts are compromised as these issues are getting deleted. I have also reported this as a vulnerability, so that a CVE can be generated.
以下为帖子原始内容
报告来源
更新
目前恶意包 plain-crypto-js@4.2.1 已被 npm 官方替换为空置状态
并且 axios 受影响版本已从 npm 注册表中删除
注意检查在恶意包存活期间(北京时间 2026-03-31 约上午 8 点到 11:30)是否进行过安装或 CI 构建操作
相关讨论
axios@1.14.1 and axios@0.30.4 are compromised
已打开 03:00AM - 31 Mar 26 UTC ashishkurmimore details: https://www.stepsecurity.io/blog/axios-compromised-on-npm-maliciou…s-versions-drop-remote-access-trojan Most likely, a maintainer's GitHub and npm accounts are compromised as these issues are getting deleted. I have also reported this as a vulnerability, so that a CVE can be generated.