For anyone who hasn’t seen it yet: earlier today, two compromised versions of axios were published to npm (1.14.1 and 0.30.4). An attacker hijacked the lead maintainer’s npm account and injected a malicious dependency that drops a RAT via a postinstall script. The compromised versions were live for roughly 2-3 hours before npm pulled them. Full write-up from StepSecurity here: axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity
Since WeWeb’s build pipeline presumably runs npm install on its servers when bundling projects, I wanted to ask:
- Does WeWeb use axios as a dependency (I believe it does)?
- Did any WeWeb build servers run npm install during the exposure window (~00:21–03:15 UTC on 31 March)?
- If so, has the team confirmed whether the compromised version was pulled, and have the appropriate steps been taken on the build infrastructure?
To be clear — the malicious payload targets the machine running npm install (i.e. WeWeb’s servers), not end users’ browsers. The axios source code itself wasn’t modified. But if build infrastructure was compromised, that’s obviously a broader platform concern.
Would be great to get confirmation from the WeWeb team that this has been checked. Thanks.
