Skip to main content

One post tagged with "Dependency Risk"

Posts about dependency assurance and supply-chain failure modes.

View All Tags

The Axios npm Compromise: Why Trusted Dependencies Still Need Evidence

· 5 min read
SCS Community
Maintainer

On 31 March 2026, Google Threat Intelligence reported a software supply-chain attack against the widely used axios npm package. The attacker introduced a malicious dependency, plain-crypto-js, into axios npm releases 1.14.1 and 0.30.4.

The malicious dependency used a postinstall hook to deploy the cross-platform WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. Google attributed the activity to a North Korea-nexus actor tracked as UNC1069.