Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions
- Severity:
- High
Description
A supply chain attack on the axios npm package (versions 1.14.1 and 0.30.4) introduced a malicious transitive dependency ([email protected]) that deploys a cross-platform remote access trojan (RAT) on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer’s npm account to publish the malicious versions.
Recommendation
Update the @lightdash/cli package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.1800.0, < 0.2695.1
- Patched version(s): 0.2695.1
References
Related Issues
- Potential XSS in jQuery dependency in Mirador - Vulnerability
- Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - CVE-2026-40175
- Axios Cross-Site Request Forgery Vulnerability - CVE-2023-45857
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
You might also like:
- Tags:
- npm
- @lightdash/cli
Anything's wrong? Let us know Last updated on April 02, 2026


