Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions
- Severity:
- High
Description
A supply chain attack on the axios npm package (versions 1.14.1 and 0.30.4) introduced a malicious transitive dependency ([email protected]) that deploys a cross-platform remote access trojan (RAT) on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer’s npm account to publish the malicious versions.
Recommendation
Update the @lightdash/cli package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.1800.0, < 0.2695.1
- Patched version(s): 0.2695.1
References
Related Issues
- Phishing attack vulnerability by uploading malicious HTML file - CVE-2023-32689
- axios Inefficient Regular Expression Complexity vulnerability - CVE-2021-3749
- Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2 - CVE-2025-32965
- x402 SDK vulnerable in outdated versions in resource servers for builders - x402-express - Vulnerability
You might also like:
- Tags:
- npm
- @lightdash/cli
Anything's wrong? Let us know Last updated on April 02, 2026