Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-qkmj-smh6-2bgn
Summary
Embedded Malicious Code via compromised maintainer account
Two malicious versions of the axios npm package (1.14.1 and 0.30.4) were published on March 31, 2026 using a compromised maintainer account. Both versions inject a hidden dependency (`plain-crypto-js@4.2.1`) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux. The malicious `postinstall` script contacts a command-and-control server and downloads a platform-specific second-stage payload. Any system that ran `npm install` while either version was available should be treated as fully compromised. The malicious packages have been removed from the npm registry.
Aliases
0
alias GHSA-fw8c-xr5c-95f9
Fixed_packages
0
url pkg:npm/axios@0.30.3
purl pkg:npm/axios@0.30.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-axk7-6q4b-vuga
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.30.3
1
url pkg:npm/axios@1.14.0
purl pkg:npm/axios@1.14.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-axk7-6q4b-vuga
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.14.0
Affected_packages
0
url pkg:npm/axios@0.30.4
purl pkg:npm/axios@0.30.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-qkmj-smh6-2bgn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.30.4
1
url pkg:npm/axios@1.14.1
purl pkg:npm/axios@1.14.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-qkmj-smh6-2bgn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.14.1
References
0
reference_url https://github.com/axios/axios/issues/10604
reference_id
reference_type
scores
url https://github.com/axios/axios/issues/10604
1
reference_url https://socket.dev/blog/axios-npm-package-compromised
reference_id
reference_type
scores
url https://socket.dev/blog/axios-npm-package-compromised
2
reference_url https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
reference_id
reference_type
scores
url https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
3
reference_url https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
reference_id
reference_type
scores
url https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Weaknesses
0
cwe_id 506
name Embedded Malicious Code
description The product contains code that appears to be malicious in nature.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_scorenull
Exploitability0.5
Weighted_severity0.0
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-qkmj-smh6-2bgn