Active Supply Chain Attack on axios 1.14.1
axios@1.14.1, published 2026-03-31, introduces a new dependency plain-crypto-js@4.2.1 that was not present in axios@1.14.0. This package is malicious — it contains an obfuscated postinstall script (setup.js) that downloads and executes a remote payload.
Evidence
axios@1.14.0 dependencies: follow-redirects, form-data, proxy-from-env (3 deps)
axios@1.14.1 dependencies: same 3 + plain-crypto-js (new, not in any prior axios version)
plain-crypto-js has "postinstall": "node setup.js" in its scripts
setup.js is heavily obfuscated — it decodes base64 strings, writes scripts to the OS temp directory, executes them via shell (macOS) or PowerShell (Windows), then deletes itself npm security team has removed the offending package: https://github.com/axios/axios/issues/10604#issuecomment-415... new installs should be safe now