Zero-day vulnerability in axios
Embedded malicious code (backdoor)
Vulnerability details
Advisory: SB20260331101 - Backdoor in Axios
Vulnerable component: axios
CVE-ID:
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-506 - Embedded Malicious Code
Description:
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the application. Attacker compromised axios repository and introduced a new dependency plain-crypto-js.
External links:
https://www.endorlabs.com/learn/npm-axios-compromise
https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat