The popular npm package axios was compromised after an attacker hijacked a lead maintainer account and published malicious versions. Those releases pulled in a hidden dependency that installed a cross-platform RAT on macOS, Windows and Linux.

Researchers say the malware could begin phoning home in about 1.1 seconds, then delete its own installer and replace it with clean-looking files to hide what happened.

That is the nightmare: trusted packages, automated installs, almost no visible trace.

Watch: https://www.youtube.com/watch?v=eGSsoSEppNU

How much trust should we really place in package registries now?

#NPM #Axios #CyberSecurity #OpenSource #InfoSec #JavaScript #SupplyChainSecurity