axios

OpenAI stated that during a recent industry-wide security incident, potential security issues were discovered in the third-party development library Axios that they use. After investigation, no evidence was found of user data being accessed, systems being compromised, or software being tampered with.Out of caution, OpenAI has initiated security reinforcement measures, focusing on strengthening the authentication mechanism of the macOS application to prevent malicious parties from distributing counterfeit official applications. OpenAI also reminds all macOS users to update to the latest version of the application as soon as possible, either through in-app updates or official channels, to reduce potential risks.

The attacker stole the npm access token of the chief maintainer of Axios, the most popular HTTP client library for JavaScript, and used that token to publish two malicious versions containing cross-platform remote access trojans (RATs) ([email protected] and [email protected]), targeting macOS, Windows, and Linux systems. The malicious packages were removed from the npm registry about 3 hours after being published.According to data from security company Wiz, Axios is downloaded over 100 million times weekly and exists in about 80% of cloud and code environments. Security company Huntress detected the first infections just 89 seconds after the malicious packages went live and confirmed that at least 135 systems were compromised during the exposure window. Notably, the Axios project had previously deployed modern security measures such as OIDC trusted publishing mechanisms and SLSA provenance proofs, but the attacker completely bypassed these defenses. Investigations revealed that while configuring OIDC, the project retained the traditional long-lived NPM_TOKEN, and npm defaults to using the traditional token when both coexist, allowing the attacker to publish without breaching OIDC.

Slow Fog has once again issued a security reminder stating to pay attention to checking for malicious versions of axios and the exposure risk of OpenClaw npm global installation history. [email protected] and [email protected] have been confirmed as malicious versions, both of which have injected the dependency [email protected], delivering cross-platform malicious payloads through the postinstall script.The impact of OpenClaw is assessed based on scenarios: source code builds are not affected, as the locked versions in the lock file are 1.13.5/1.13.6; however, users who installed via npm install -g [email protected] face historical exposure risks due to the presence of optionalDependencies.axios@^1.7.4 in the dependency chain, which may resolve to [email protected] during the time window when the malicious version is still online. Currently, npm has reverted the resolution to [email protected], but environments that were installed during the attack window are still advised to be checked. Slow Fog has provided inspection commands and IoC paths for various platforms; if the plain-crypto-js directory is found, even if the package.json has been cleaned, it should still be regarded as high-risk execution traces. It is recommended that affected hosts immediately rotate credentials and conduct host-side inspections. Previously, Slow Fog founder Yu Xian reminded that OpenClaw version 3.28 may introduce a toxic version of axios, and users need to urgently check.

Slow Fog founder Yu Xian issued a security reminder stating: We are fairly certain that if the user's OpenClaw is the latest version 3.28, it may introduce a poisoned axios, please be cautious in your checks.In addition, related Skills may also rely on axios, leading to indirect poisoning. Due to the widespread use of axios, a comprehensive check can be conducted under certain conditions.

According to market news, Socket has detected that version 1.14.1 of the npm core package axios is experiencing an active supply chain attack. The attacker injected a malicious dependency package to implant malicious code into axios. Developers using axios are advised to immediately pin the version and review the project's lock files.

ChainCatcher news, according to AXIOS, U.S. President Trump will sign an executive order on Monday.

ChainCatcher news, according to Axios, U.S. Senator Elizabeth Warren has written to David Sacks, the head of cryptocurrency and artificial intelligence affairs for the Trump administration, requesting the disclosure of potential conflicts of interest and transparency in the policy-making process.Warren questioned whether policymakers might profit as the government deeply supports the blockchain industry. She specifically pointed out that Sacks was a partner at Craft Ventures, which invested in Bitwise, and the top five assets of the Bitwise 10 Index Fund (BTC, ETH, SOL, XRP, ADA) are precisely the assets the Trump administration plans to include in its strategic reserves.After Trump announced the strategic Bitcoin reserve, the market briefly surged by $300 billion, only to plummet afterward due to the government's statement that it would not purchase additional assets. Warren is demanding that Sacks publicly disclose his financial reports to prove he has divested from related investments and reveal whether policymakers had any relevant trades before the announcement.

ChainCatcher news, according to AXIOS, the White House calls for public input on artificial intelligence policy.

ChainCatcher news, according to AXIOS, Trump is considering appointing an artificial intelligence minister to coordinate federal policy and the government's use of emerging technologies.

Chain Carcher news, according to Axios, FTX has approached the U.S.-based cryptocurrency exchange Kraken about a potential rescue deal. Axios states that the details of the negotiations are unclear and may continue or fall apart, adding that both FTX and Kraken declined to comment. (Source link)

ChainCatcher news, according to sources cited by Axios, Musk has instructed Twitter engineers to prepare for a Vine reboot, which may be ready by the end of the year. It is reported that Twitter shut down this looping video app in 2016.Yesterday, Musk initiated a user poll asking "Should we bring Vine back?" At the time of this post, the ratio of support to opposition was about 7:3. (Axios)