Developer | CCO @todasasletras_ | Digital Design @anhembimorumbi | MBA @fiap | Speaker | A11y 🇧🇷🇺🇸🇪🇸🇫🇷🏳🌈
Joined July 2016
- Tweets 5,195
- Following 870
- Followers 3,918
- Likes 29,918
1,039 Photos and videos
May 11
Pessoal, voltei a procurar emprego como Front-end. Se souberem de alguma vaga, me avisem. Meu LinkedIn ta atualizado e meu currículo posso enviar por DM:
linkedin.com/in/lucasjs
1
4
255
213
Lucas J Soares retweeted
Mar 31
🚨a biblioteca AXIOS foi comprometida, com 300 milhões de downloads semanais 🚨
se você tá acordando agora no Brasil você tem a chance de salvar o repositório da sua empresa
pesquisa no seu lockfile por essas 2 versões:
axios@1.14.1
axios@0.30.4
se estiverem presentes, pina uma versão específica abaixo (dependendo da major) e dá merge IMEDIATAMENTE
npm install axios@1.14.0
npm install axios@0.30.3
o impacto disso vai ser catastrófico
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.
The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M weekly downloads. Every npm install pulling the latest version is potentially compromised right now.
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
• Deobfuscates embedded payloads and operational strings at runtime
• Dynamically loads fs, os, and execSync to evade static analysis
• Executes decoded shell commands
• Stages and copies payload files into OS temp and Windows ProgramData directories
• Deletes and renames artifacts post-execution to destroy forensic evidence
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
26
170
2,319
372,187
