针对 axios 1.14.1 的主动供应链攻击
axios@1.14.1,发布于2026年3月31日,引入了一个新的依赖包plain-crypto-js@4.2.1,而在axios@1.14.0中并不存在。这个包是恶意的——它包含一个混淆的后安装脚本(setup.js),该脚本会下载并执行远程负载。
<p>证据</p>
<p>axios@1.14.0的依赖包:follow-redirects、form-data、proxy-from-env(3个依赖)</p>
<p>axios@1.14.1的依赖包:相同的3个 + plain-crypto-js(新包,之前的任何axios版本中都没有)</p>
<p>plain-crypto-js的脚本中有“postinstall”: “node setup.js”</p>
<p>setup.js被严重混淆——它解码base64字符串,将脚本写入操作系统临时目录,通过shell(macOS)或PowerShell(Windows)执行这些脚本,然后自我删除。</p>
查看原文
axios@1.14.1, published 2026-03-31, introduces a new dependency plain-crypto-js@4.2.1 that was not present in axios@1.14.0. This package is malicious — it contains an obfuscated postinstall script (setup.js) that downloads and executes a remote payload.<p>Evidence<p>axios@1.14.0 dependencies: follow-redirects, form-data, proxy-from-env (3 deps)<p>axios@1.14.1 dependencies: same 3 + plain-crypto-js (new, not in any prior axios version)<p>plain-crypto-js has "postinstall": "node setup.js" in its scripts<p>setup.js is heavily obfuscated — it decodes base64 strings, writes scripts to the OS temp directory, executes them via shell (macOS) or PowerShell (Windows), then deletes itself