software minimalism please!

js should not be allowed to do anything more than nice animations

https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

Axios is a promise-based HTTP client for browsers and Node.js — it simplifies making HTTP requests (GET/POST/etc.), handles JSON, supports interceptors, request/response config, cancellation, and custom instances.

Common software types and popular projects that use Axios (top 10 examples):

  • React applications (many CRA / Next.js examples and tutorials)
  • Vue.js applications (including Vue CLI projects)
  • Nuxt.js projects (server-rendered Vue apps and examples)
  • Next.js example apps and tutorials (React SSR/static apps often use Axios)
  • React Native apps (mobile apps fetching APIs)
  • Electron desktop apps (desktop JS apps making HTTP calls)
    • well Signal-Desktop is using Electron
    • git clone https://github.com/signalapp/Signal-Desktop.git
    • grep -a -r -i -E --color=auto axios .

./pnpm-lock.yaml: axios@1.8.4:

./pnpm-lock.yaml: axios@1.8.4(debug@4.3.7):

./pnpm-lock.yaml: axios: 1.8.4(debug@4.3.7)

./pnpm-lock.yaml: axios: 1.8.4(debug@4.3.7)
    • axios@1.8.4:

resolution: {integrity: sha512-eBSYY4Y68NNlHbHBMdeDmKNtDgXWhQsJcGqzO3iLUM0GraQFSS9cVgPX5I9b3lbdFKyYoAEGAZF1DwhTaljNAw==}
  • Gatsby starters and plugins (some starters use Axios for data fetching)
  • SvelteKit example projects (can be configured to use Axios)
  • Tauri apps (examples showing Axios with custom fetch adapter)
  • Node.js backend utilities and CLI tools (server-side HTTP requests with Axios)

How Axios Is Used

Rather than a specific top 30 list, axios is typically found as a direct or transitive dependency in:

  • Frontend frameworks: React, Vue, Angular projects
  • Backend frameworks: Express, Next.js, NestJS applications
  • AWS SDKs: The AWS SDK for JavaScript uses axios
  • GitHub Actions: Popular actions like slack-github-action (used by 23,000+ public repositories) depend on axios
  • Build tools and CI/CD: Countless development pipelines
    Enterprise applications: Any project making HTTP requests

what to do?

  • software minimalism: only use and install packages thare are absolutely required
    • try to implement more functionality without 3rd party packages
  • git servers and update servers have to be treated as critical infrastructure
  • be careful with job offers that sound too good to be true (also on linkedin)
  • “maintainer account associated with the axios package was compromised” do not give direct write repository access
    • rather create a separate repo on a server controlled by the legit dev have all maintainers push changes there
    • inspect all changes carefully, before merging them upstream into the main git server (from where it will be distributed around the globe)
  • be careful “where a group masquerades as someone who is interested in working or partnering together on open soruce or similar”
  • get a fido key?
  • “it is sad to me that zero trust can be put in people as my only objective is to create useful things with code but it seems like the world is strongly against that with someone trying to steal / exploit something at every corner. my countries philosphy is “Ubuntu” – “I am because we are” or “humanity towards others” i hope that more can embrace that in the future” (src)
    • unfortunately the north korean hacker group UNC1069 will not give a damn 🙁

It’s currently not known who is behind the supply chain compromise, but Elastic said the macOS Mach-O binary delivered by the “plain-crypto-js” postinstall hook exhibits significant overlap with WAVESHAPER, a C++ backdoor tracked by Google-owned Mandiant last month and attributed to a North Korean threat actor known as UNC1069.

Users are advised to perform the following actions to ascertain compromise

  • Check for the malicious Axios versions.
  • Check for RAT artifacts: “/Library/Caches/com.apple.act.mond” (macOS), “%PROGRAMDATA%\wt.exe” (Windows), and “/tmp/ld.py” (Linux).
  • Downgrade to Axios versions 1.14.0 or 0.30.3.
  • Remove “plain-crypto-js” from the “node_modules” directory.
  • If RAT artifacts are detected, assume compromise and rotate all credentials on the system.
  • Audit CI/CD pipelines for runs that installed the affected versions.
  • Block egress traffic to the command-and-control domain (“sfrclak[.]com”)

Socket, in its own analysis of the attack, said identified two additional packages distributing the same malware through vendored dependencies –

In the case of “@shadanai/openclaw,” the package vendors the malicious “plain-crypto-js” payload directly (e.g., @shadanai/openclaw/files/2026.3.31-1/dist/extensions/slack/node_modules/plain-crypto-js/setup.js). On the other hand, “@qqbrowser/openclaw-qbot@0.0.130,” ships a tampered “axios@1.14.1” in its “node_modules/” folder with “plain-crypto-js” injected as a dependency.

“The real axios has only three dependencies (follow-redirects, form-data, proxy-from-env),” the supply chain security company said. “The addition of plain-crypto-js is unambiguous tampering. When npm processes this vendored axios, it installs plain-crypto-js and triggers the same malicious postinstall chain.”

src: https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

Links:

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin