https://xcancel.com/feross/status/2038807290422370479>CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.>The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise.>This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.>Deobfuscates embedded payloads and operational strings at runtime>Dynamically loads fs, os, and execSync to evade static analysis>Executes decoded shell commands>Stages and copies payload files into OS temp and Windows ProgramData directories>Deletes and renames artifacts post-execution to destroy forensic evidence
>>108490170I don't use node. This does not effect me. I don't pull random jeep package from the Internet like a street shitter.
>>108490209Well jeet this might still AFFECT you by compromising a service you use
>>108490216I don't use any services other than 4chins.
>goyimscriptLmao
is this confirmed?
maybe this will teach people to stop using jeetcode and write programs from scratch like a real man
why can humans audit the packages they use before updtooding?i thought they were better than chatgpt and made no mistakes?
I thought we were supposed to have flying cars
>>108490480>it's another "jeets talking to each other using AI" episode
>>108490170Deserved
>>108490170everyone who installs a dependency for a thin wapper around fetch() deserves to get pwned
