Active Supply Chain Attack on axios 1.14.1

axios@1.14.1, published 2026-03-31, introduces a new dependency plain-crypto-js@4.2.1 that was not present in axios@1.14.0. This package is malicious — it contains an obfuscated postinstall script (setup.js) that downloads and executes a remote payload. Evidence axios@1.14.0 dependencies: follow-redirects, form-data, proxy-from-env (3 deps) axios@1.14.1 dependencies: same 3 + plain-crypto-js (new, not in any prior axios version) plain-crypto-js has "postinstall": "node setup.js" in its scripts setup.js is heavily obfuscated — it decodes base64 strings, writes scripts to the OS temp directory, executes them via shell (macOS) or PowerShell (Windows), then deletes itself