2026年3月31日,两个恶意版本的axios发布到npm:axios@1。
Both were live for roughly three hours before npm pulled them down。
During that window, anyone who ran npm install axios could have had a Remote Access Trojan (RAT) dropped silently on their machine or CI runner, with no errors and no warnings。
这篇文章详细介绍了发生的情况、攻击是如何进行的,以及检查您是否受到影响的确切命令。
攻击者破坏了 axios 主要维护者的 npm 帐户。
这次攻击的突出之处在于:axios 本身内部的恶意代码为零。
来源:Dev.to
