Axios npm Package Compromised in Supply Chain Attack

Malicious versions of the Axios npm package (1.14.1 and 0.30.4) were published to the npm registry, containing a malware dropper named plain-crypto-js@4.2.1. These compromised versions were available for approximately 24 hours before being removed by npmjs. Users who ran npm install during this period should check their lockfiles. The malicious plain-crypto-js package was also removed from the registry.