Axios npm compromise drops RAT

This is a textbook package-reputation attack: the source code stayed clean, but the release pipeline was hijacked, which is exactly where modern dependency defenses need to focus.

• –`plain-crypto-js@4.2.1` appears to have been added purely as a phantom dependency to run `postinstall`, so source review of axios itself would not catch the payload.
• –The malicious publish hit both the modern `1.x` line and the legacy `0.x` line, which widens exposure across teams with different pinning habits.
• –StepSecurity’s guidance is blunt: treat installs of `axios@1.14.1` or `axios@0.30.4` as compromised, roll back to the last known-good versions, and rotate secrets on affected hosts.
• –The incident also shows why trusted publishing and provenance checks matter; Axios’s normal GitHub Actions/OIDC release pattern was bypassed here.
• –For defenders, this is a reminder to monitor npm egress, lock dependency ranges, and flag any package that introduces an unused runtime dependency without a corresponding source change.