2026-03-31 — Malware in plain-crypto-js and axios (GHSA-2x9r-6wxq-hrr7, GHSA-fw8c-xr5c-95f9)¶

GitHub published two fresh advisories for malicious packages:

• plain-crypto-js — https://github.com/advisories/GHSA-2x9r-6wxq-hrr7
• axios — https://github.com/advisories/GHSA-fw8c-xr5c-95f9

Why this matters¶

This is supply-chain malware, not a normal vulnerability disclosure. The durable lesson is operational:

• Treat any host that installed or ran the package as potentially compromised.
• Assume any secrets available on that machine may be burned.
• Prefer reimage over ad-hoc cleanup if the package executed with meaningful privileges.

Immediate actions¶

• Identify every install/run location:
• developer workstations
• CI runners
• build hosts
• container images
• Remove the package and revert lockfiles to known-good versions.
• Rotate exposed secrets from a different, known-clean machine:
• CI tokens
• deploy keys
• registry credentials
• cloud/API credentials present on the host
• Invalidate or refresh build caches that may contain malicious artifacts.

Detection and triage¶

• Review install logs and CI output around dependency resolution.
• Look for:
• unexpected outbound connections during install/build/test
• new persistence mechanisms
• suspicious binaries or scripts dropped in temp directories
• tampering with release artifacts

Related durable guidance¶

• /checklists/malicious-package-response
• This fits the same response pattern as earlier malware advisories such as:
• cdnjs-libs
• blockchain-helper-lib