Buy Crypto
Pay with
USD
USD
Buy & Sell
Hot
Supports Visa, MasterCard, SEPA & more
P2P
0 Fees
Flexible trading, zero fees
Gate Card
Use your crypto for payments worldwide
Markets
Trade
Basic
Advanced
Futures
Futures
Access hundreds of perpetual contracts
TradFi
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
Earn
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
tag
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Investment
Square
Square
Post, share, and explore crypto trends
Live
moments live
Live crypto market analysis
Chat
Chat with crypto traders
News
What is happening in crypto
flower_head
More
Promotions
AI
Diğerleri
TradFi
WCTC S8
Rewards

Supply chain attack hits Axios npm releases, users urged to rotate keys

Cointelegraph
Security Incidents

Two malicious Axios npm releases have prompted warnings for developers to rotate credentials and treat affected systems as compromised after a supply chain attack poisoned the popular JavaScript HTTP client library.

The compromise was first reported by cybersecurity company Socket, which said axios@1.14.1 and axios@0.30.4 were modified to pull in plain-crypto-js@4.2.1, a malicious dependency that ran automatically during installation before the releases were removed from npm.

According to security company OX Security, the altered code can give attackers remote access to infected devices, allowing them to steal sensitive data such as login credentials, API keys and crypto wallet information.

The incident shows how a single compromised open-source component can potentially ripple across thousands of applications that rely on it, exposing not just developers but also platforms and users connected to the system.

Security companies urge key rotation, system audits

OX Security warned developers who installed axios@1.14.1 or axios@0.30.4 to treat their systems as fully compromised and immediately rotate credentials, including API keys and session tokens.

Socket said the compromised Axios releases were modified to include a dependency on plain-crypto-js@4.2.1, a package published shortly before the incident and later identified as malicious.

**Related: **__Trust Wallet browser extension knocked offline by Chrome Store ‘bug,’ CEO says

The company said the dependency was configured to run automatically during installation through a post-install script, allowing attackers to execute code on target systems without additional user interaction.

Socket advised developers to review their projects and dependency files for the affected Axios versions and the associated plain-crypto-js@4.2.1 package, and to remove or roll back any compromised versions immediately.

Earlier crypto incidents highlight supply chain risks

Earlier crypto incidents have shown how supply chain breaches can escalate from stolen developer information to user-facing wallet losses.

On Jan. 3, onchain investigator ZachXBT reported that “hundreds” of wallets across Ethereum Virtual Machine-compatible networks were drained in a broad attack that siphoned small amounts from each victim.

Cybersecurity researcher Vladimir S. said the incident was potentially linked to a December breach affecting Trust Wallet, which resulted in roughly $7 million in losses across over 2,500 wallets.

Trust Wallet later said the breach may have originated from a supply chain compromise involving npm packages used in its development workflow.

**Magazine: **__Nobody knows if quantum secure cryptography will even work

Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently. Read our Editorial Policy

  • #Blockchain
  • #Security
  • #Hackers
  • #Cybersecurity
  • #Hacks
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to Disclaimer.

Related Articles

CoW Swap users warned after Blockaid flags COW.FI frontend attack

Security Incidents

Blockaid flags CoW Swap's cow.fi frontend as malicious, urging users to revoke token approvals and avoid the dApp amid a broader wave of DeFi interface attacks. Summary Blockaid flags CoW Swap's main cow.fi frontend as malicious. Users are urged to revoke token approvals and avoid the dApp

Cryptonews2h ago

Bitcoin Core Developers Propose BIP-361 to Freeze 1.7M Early BTC Against Quantum Computing Threats

bitcoin newsRegulation & PolicySecurity Incidents

BIP-361, proposed by co-authors including Jameson Lopp, aims to secure early Bitcoin by migrating 1.7 million coins from weak P2PK addresses to stronger formats, allowing 3-5 years for users before freezing untransferred coins. Community responses vary significantly.

GateNews4h ago

CoW Swap Recovers cow.fi Domain After Social Engineering Attack on April 14

Project ProgressSecurity Incidents

CoW Swap regained control of its cow.fi domain after a social engineering attack that occurred on April 14. The attackers used forged documents to manipulate the DNS registrar and deploy a phishing site. Users affected by the incident are advised to revoke transaction approvals and transfer funds.

GateNews5h ago

Florida and Massachusetts jointly recover $5.4 million in cryptocurrency scam assets

bitcoin newsEnforcement ActionsSecurity Incidents

The Florida State Attorney’s Office and the Marion County Sheriff’s Office jointly recovered $5.4 million in cryptocurrency scam funds, involving an investment fraud scheme that used romance as a cover. Some of the funds have been returned to victims in Florida and Massachusetts. Since its inception, CFEU has recovered $7.2 million, and another $12.6 million in assets remains frozen. Massachusetts has also carried out multiple law-enforcement actions, shutting down scam websites and recovering funds.

MarketWhisper7h ago

Florida and Massachusetts Recover $5.4M in Crypto Fraud Assets from Romance Scam Scheme

Enforcement ActionsSecurity Incidents

Authorities in Florida and Massachusetts recovered $5.4 million in cryptocurrency from romance scam-related investment fraud, with victims receiving partial refunds. Ongoing efforts continue against crypto fraud, with additional assets under litigation.

GateNews8h ago

Crypto’s most ridiculous robbery? A hacker minted $1 billion in DOT tokens, but only stole $230k

Security Incidents

Hackers exploited the Hyperbridge cross-chain bridge vulnerability to mint 1 billion Polkadot (DOT) tokens. The nominal value was over $1.19 billion, but due to insufficient liquidity, they ultimately cashed out only about $237k. The attack was successful because the smart contract did not properly verify messages, allowing the hackers to steal administrative control and mint coins. The incident highlights the key role of market liquidity in the success of arbitrage.

CryptoCity21h ago
Comment
0/400
No comments