Axios, Super Popular NPM Package, Was Compromised in Attack on the Module’s Maintainer

StepSecurity:

If you have installed [email protected] or [email protected], assume your
system is compromised.

There are zero lines of malicious code inside axios itself, and
that’s exactly what makes this attack so dangerous. Both poisoned
releases inject a fake dependency, [email protected], a
package never imported anywhere in the axios source, whose sole
purpose is to run a postinstall script that deploys a
cross-platform remote access trojan. The dropper contacts a live
command-and-control server, delivers separate second-stage
payloads for macOS, Windows, and Linux, then erases itself and
replaces its own package.jsonwith a clean decoy. A developer who
inspects their node_modules folder after the fact will find no
indication anything went wrong.

This was not opportunistic. It was precision. The malicious
dependency was staged 18 hours in advance. Three payloads were
pre-built for three operating systems. Both release branches were
poisoned within 39 minutes of each other. Every artifact was
designed to self-destruct. Within two seconds of npm install,
the malware was already calling home to the attacker’s server
before npm had even finished resolving dependencies. This is among
the most operationally sophisticated supply chain attacks ever
documented against a top-10 npm package.

Could be my bigotry against JavaScript speaking, but I find it unsurprising that this happened to the same framework that this and this happened to.