Absolutely. If you ever did a npm install on a project using one of the affected axios versions, your entire system may be compromised.
> The malicious versions inject a new dependency, [email protected], which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection.
alt Hacker News
Absolutely. If you ever did a npm install on a project using one of the affected axios versions, your entire system may be compromised.
> The malicious versions inject a new dependency, [email protected], which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection.
I strongly recommend you read the entire article.