Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/355446?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/355446?format=api", "vulnerability_id": "VCID-qkmj-smh6-2bgn", "summary": "Embedded Malicious Code via compromised maintainer account\nTwo malicious versions of the axios npm package (1.14.1 and 0.30.4) were published on March 31, 2026 using a compromised maintainer account. Both versions inject a hidden dependency (`plain-crypto-js@4.2.1`) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux. The malicious `postinstall` script contacts a command-and-control server and downloads a platform-specific second-stage payload. Any system that ran `npm install` while either version was available should be treated as fully compromised. The malicious packages have been removed from the npm registry.", "aliases": [ { "alias": "GHSA-fw8c-xr5c-95f9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62854?format=api", "purl": "pkg:npm/axios@0.30.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-axk7-6q4b-vuga" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.30.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/1088747?format=api", "purl": "pkg:npm/axios@1.14.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-axk7-6q4b-vuga" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.14.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1088745?format=api", "purl": "pkg:npm/axios@0.30.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-qkmj-smh6-2bgn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.30.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/1088746?format=api", "purl": "pkg:npm/axios@1.14.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-qkmj-smh6-2bgn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.14.1" } ], "references": [ { "reference_url": "https://github.com/axios/axios/issues/10604", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/axios/axios/issues/10604" }, { "reference_url": "https://socket.dev/blog/axios-npm-package-compromised", "reference_id": "", "reference_type": "", "scores": [], "url": "https://socket.dev/blog/axios-npm-package-compromised" }, { "reference_url": "https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html" }, { "reference_url": "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" } ], "weaknesses": [ { "cwe_id": 506, "name": "Embedded Malicious Code", "description": "The product contains code that appears to be malicious in nature." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qkmj-smh6-2bgn" }