A supply chain attack compromised the Axios NPM package by injecting a malicious dependency 'plain-crypto-js' into versions 1.14.1 and 0.30.4. This dependency acts as an obfuscated dropper for the WAVESHAPER.V2 backdoor, targeting Windows, macOS, and Linux systems.
| Vendor | Product | Versions |
|---|---|---|
| — | axios | 1.14.1, 0.30.4 |
