Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions
A supply chain attack on the axios npm package (versions 1.14.1 and 0.30.4) introduced a malicious transitive dependency (plain-crypto-js@4.2.1) that deploys a cross-platform remote access trojan (RAT) on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer's npm account to publish the malicious versions. The malicious versions were live on npm for approximately 3 hours (00:21 UTC to 03:29 UTC on March 31, 2026) before being removed. The …