🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

警告⚠️ 立即取消关注并拉黑此人，多次改名，应该是惯犯了 距离上次锤人已经快一年了，没想到又有人在脚本里投毒 不过这次的人明显学聪明了，分享的是一个压缩包，压缩包里藏了一个 botrun.exe，是个用 Go 语言写的 Windows 执行文件 经过分析发现，这个 exe 的函数名全是随机无意义的单词，比如 Cardiovascularauthorization、Subsidiaries，这是恶意软件为了规避检测，常用的混淆手段，而且它还包含网络通信功能，大概率是木马或钱包盗取工具 证据看图吧 手动 @evilcos 余弦大佬看下

Can you spot the XSS vulnerability? 👀 Test it out live at: pwnbox.xyz

ks直播事故。漏洞肯定被黑灰利用了。黑灰的盈利可比那点赏金赚多了。珍惜负责人披露的白帽子吧👽