Axios, the HTTP library that lives in basically every JavaScript project on the planet. Someone stole a maintainer’s npm token, published two poisoned versions, and within 2 seconds of running npm install, a cross-platform RAT was phoning home to a command-and-control server. macOS, Windows, Linux. All of them. The malicious code even deleted itself after execution and swapped its own package.json to cover its tracks.
# ~/.bunfig.toml
[install]
minimumReleaseAge = 604800 # 7 days in seconds
Maximilian Schwarzmüller
No comments:
Post a Comment