Malicious Dependency Injection in Axios NPM Package

60% confidence

Description

A supply chain attack compromised the Axios NPM package by injecting a malicious dependency 'plain-crypto-js' into versions 1.14.1 and 0.30.4. This dependency acts as an obfuscated dropper for the WAVESHAPER.V2 backdoor, targeting Windows, macOS, and Linux systems. [Auto-archived: reprocess_no_remaining_articles — 2026-04-01T01:38:38.873Z]

Affected Products

Vendor	Product	Versions
Google Threat Intelligence Group	axios	1.14.1, 0.30.4, 4.2.1

Related News (1 articles)

Tier C

Mandiant Blog13h ago

North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-20

PublishedMar 31, 2026

Last enriched1h agov2

Community Vote

Vulnerability Timeline

CVE Published

Mar 31, 2026

Actively Exploited

Mar 31, 2026

Exploit Available

Mar 31, 2026

Discovered by ZDM

Mar 31, 2026

Updated: vendor, affectedVersions, severity, cvssEstimate, cweIds, iocs, mitreAttack, tags

Apr 1, 2026

Version History

Last enriched 1h ago

v2Tier C1h ago

Updated vendor to Google Threat Intelligence Group, added new affected version 4.2.1, changed severity to HIGH, updated CVSS estimate to 7.5, added new CWE, IOC, and MITRE ATT&CK technique T1071.001.

vendoraffectedVersionsseveritycvssEstimatecweIdsiocsmitreAttacktags

via Mandiant Blog

v14h ago

Initial creation

Malicious Dependency Injection in Axios NPM Package

Description

Affected Products

Related News (1 articles)

Community Vote

Pin to Dashboard

Verification

Vulnerability Timeline

Version History