axios遭供应链攻击：两个新版本引入恶意依赖，建议立即回滚

BlockBeatNews

2026-03-31 04:50:48

据 1M AI News 监测，供应链安全公司 Socket 研究团队今日披露，被广泛使用的 JavaScript HTTP 请求库 axios 遭遇供应链攻击。两个新发布的版本（v1.14.1 和 v0.30.4）均包含恶意依赖，且这两个版本未出现在 axios 官方 GitHub Release 历史中，偏离了该项目的正常发布流程。

两个版本均引入了恶意包 plain-crypto-js@4.2.1。该恶意包于 3 月 30 日 23:59:12 UTC 发布，Socket 的自动化检测在约 6 分钟后将其标记。Socket 指出，这一时间与 axios 新版本发布高度吻合，表明恶意依赖是配合 axios 发布协调投放的。恶意包关联的 npm 账号为 jasonsaayman，Socket 称这引发了对「未经授权发布或账号遭入侵」的担忧。

Socket 建议开发者立即检查项目依赖和 lockfile 中是否包含 axios@1.14.1、axios@0.30.4 或 plain-crypto-js@4.2.1，如有发现立即回滚至已知安全版本。事件仍在持续调查中。

Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to Disclaimer.

Opmerking

0/400

Geen opmerkingen