⚠️ Security: axios supply chain attack — plain-crypto-js found in your project

[Jdubin1417]

What happened

On March 31, 2026, the npm package axios was compromised. A malicious version (1.14.1 / 0.30.4) was published that silently installed a phantom dependency called plain-crypto-js — a package created solely to deliver malware.

We found plain-crypto-js in your pnpm-lock.yaml. This dependency should not exist in any legitimate project.

What this means

If pnpm install was run on this project between March 31–April 1, 2026, the lockfile pulled the compromised version. Note: pnpm does not auto-run postinstall scripts by default, so the RAT may not have deployed — but the malicious dependency was still resolved.

⚠️ NPM PACKAGE ALERT: Since this is an npm package (esm-bundle/react-dom), please verify no compromised artifacts were published. Your downstream users may be affected.

Recommended actions

1. Check the machine that last ran install — run the detection script
2. Remove plain-crypto-js from your lockfile and pin axios to a safe version
3. Verify published package — ensure no compromised build artifacts were published to npm
4. Rotate credentials — npm tokens, CI secrets, any keys accessible from dev machine

More info

• NetworkChuck's full guide
• Official axios issue #10604
• Socket.dev analysis

---

This is a one-time notification. If you've already addressed this or this is a false positive, feel free to close.

Disclosure: This contribution was developed with AI assistance (OpenClaw, powered by Copilot).