📰 2026-03-31 11:30 更新
🔸 Axios Compromised on NPM – Malicious Versions Drop Remote Access Trojan / NPM上的Axios受损–恶意版本丢弃远程访问特洛伊木马程序
🔗 Axios Compromised on NPM – Malicious Versions Drop Remote Access Trojan
🔥 17 points
原文:
On March 31, 2026, StepSecurity identified two malicious versions of the widely used axios HTTP client library published to npm: axios@1.14.1 and axios@0.30.4. Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project’s normal GitHub Actions CI/CD pipeline. The attacker changed the maintainer’s account email to an anonymous ProtonMail address and manually published the poisoned packages via the npm CLI.The malicious versions inject a …
译文:
2026年3月31日, StepSecurity发现了发布到npm的广泛使用的axios HTTP客户端库的两个恶意版本: axios @ 1.14.1和axios @ 0.30.4。这两个版本都是使用主要axios维护者的受损npm凭据发布的,绕过了项目的正常GitHub Actions CI/CD管道。攻击者将维护者的帐户电子邮件更改为匿名的ProtonMail地址,并手动发布有毒软件包v ia npm CLI。恶意版本会注入…
自动更新 · 正文抓取 · 双语翻译