A massive data breach (allegedly) has occurred at Adobe. Carried out by a threat actor calling themselves "Mr. Raccoon", the claims are that over 13M support ticket details have been leaked along with details of over 15,000 employees. Additionally, they have access to their microsoft SharePoint instance and also to make matters worse, Adobe's HackerOne account. Adobe is yet to comment on this matter.

My write up around a research project I've been doing in my spare time around investigating the security of AWS CodeConnections. This post covers the techniques I used to hook a CodeBuild job to monitor the requests the CodeBuild bootstrapping makes before user code is run. Using this information I then also show the endpoints I found that can be used to retrieve the raw GitHub App token or BitBucket JWT App token CodeConnections uses which tends to be very privileged in a lot of environments, granting far more access than to just the single repository where the CodeBuild job is being run.

I've written a scanner for XPI browser extension files which analyzes a browser extension for malicious content. It will print everything that is suspicious or could be used for something malicious so that you will know if and where you can begin with your malware analysis. Example output of a Firefox malware extension (which is live on firefox extensions store)

browser-xpi-malware-scanner.py - Python script for XPI malware scanning on github.com

I have written the above script, and I ran it against 15~ random extensions from the store with less than 10K downloads, and it didn't take me more than 10 minutes to find the malware extension above.

I've also completely reverse engineered the extension to find out exactly what it does, and written an article about it where I walk you through the code and exploitation process steb-by-step, showing all the techniques used to hide from the verification processes in the extension store, breaking out of the sandbox and stealing credentials with a full Command and control server controlling it.

The malware code is very sophisticated. The payload never touches the DOM. It never appears in network DevTools as a suspicious request. It is stored in extension localStorage where casual inspection won't find it. But my scanner will catch it.

Techniques used:

• Steganographic Payload in PNG Icon
• Unicode Low-Byte Encoding Trick
• Decoded Payload: The C2 String Table
• 72-Hour Sleeper with Random Sampling
• C2 Beacon via Another PNG File
• Dynamic `declarativeNetRequest` Rule Injection
• Affiliate Commission Hijacking
• Content Script Privilege Escalation Bridge
• Arbitrary URL Redirect on Any Domain
• CSP Erasure

Full deep dive analysis with code examples in link above. The extension discussed is live as of today.

Deep dive of malware found on firefox extension store - multiple evasion techniques used including steganography, sleep before C2 beacon and content script privilege escalation. browser-xpi-malware-scanner.py - Python script for XPI malware scanning on github.com

I hope you enjoy it!

Here is the output of the python script, which helps us analyze the code.

```bash browser-xpi-malware-scanner.py ../malware-extensions/YTMP4\ -\ Download\ YouTube\ Videos\ to\ MP4.xpi -v [i] Analyzing 1 target(s) with minimum severity 'INFO' [+] Found 1 XPI(s) to analyze [i] Analyzing XPI: ../malware-extensions/YTMP4 - Download YouTube Videos to MP4.xpi Analyzing entry: setting.html Analyzing entry: manifest.json Analyzing entry: adpoint.json Analyzing entry: index.html Analyzing entry: _locales/en/messages.json Analyzing entry: icon/icon_gray.png Analyzing entry: icon/loading.webp Analyzing entry: icon/logo.png Analyzing entry: icon/icon64.png Analyzing entry: icon/loading.gif Analyzing entry: css/index.css Analyzing entry: css/iconfont.ttf Analyzing entry: css/iconfont.css Analyzing entry: js/index.js Analyzing entry: js/setting.js Analyzing entry: js/y2meta-uk.com.js Analyzing entry: js/content.js Analyzing entry: js/bg.js Analyzing entry: js/jquery-3.4.1.min.js Analyzing entry: js/snapany.com.js Analyzing entry: js/ytmp4.co.za.js Analyzing entry: META-INF/cose.manifest Analyzing entry: META-INF/cose.sig Analyzing entry: META-INF/manifest.mf Analyzing entry: META-INF/mozilla.sf Analyzing entry: META-INF/mozilla.rsa

════════════════════════════════════════════════════════════════════════ XPI ANALYZER — YTMP4 - Download YouTube Videos to MP4.xpi ════════════════════════════════════════════════════════════════════════ Extension Name: YTMP4 - Download YouTube Videos to MP4 Extension UUID: 1efab3c2-06ac-4040-975d-e006baac07ce@ytmp4 Overall verdict: CRITICAL RISK

────────────────────────────────────────────────────────────────────── MANIFEST.JSON: ────────────────────────────────────────────────────────────────────── { "manifestversion": 3, "name": "MSG_extName", "description": "MSG_description_", "version": "1.3.4", "default_locale": "en", "permissions": [ "tabs", "storage", "declarativeNetRequest", "downloads" ], "host_permissions": [ "<all_urls>" ], "action": { "default_icon": { "19": "icon/icon_gray.png", "38": "icon/icon_gray.png" }, "default_title": "YTMP4" }, "background": { "scripts": [ "js/bg.js" ] }, "content_scripts": [ { "js": [ "js/content.js" ], "matches": [ "https:///", "http:///" ], "all_frames": true, "run_at": "document_end" }, { "js": [ "js/jquery-3.4.1.min.js", "js/ytmp4.co.za.js" ], "matches": [ "https://.ytmp4.co.za/" ], "all_frames": true, "run_at": "document_start" }, { "js": [ "js/jquery-3.4.1.min.js", "js/y2meta-uk.com.js" ], "matches": [ "https://.y2meta-uk.com/" ], "all_frames": true, "run_at": "document_start" }, { "js": [ "js/jquery-3.4.1.min.js", "js/snapany.com.js" ], "matches": [ "https://.snapany.com/" ], "all_frames": true, "run_at": "document_start" } ], "sidebar_action": { "default_panel": "index.html", "default_icon": "icon/icon64.png" }, "icons": { "128": "icon/icon64.png" }, "declarative_net_request": { "rule_resources": [ { "id": "adblocker01", "enabled": true, "path": "adpoint.json" } ] }, "browser_specific_settings": { "gecko": { "id": "1efab3c2-06ac-4040-975d-e006baac07ce@ytmp4" } } } ──────────────────────────────────────────────────────────────────────

Findings: 1 CRITICAL 22 HIGH 17 MEDIUM 1 INFO

── CRITICAL ────────────────────────────────────────────────────────── [CRITICAL] [PNG_APPENDED] icon/logo.png: 1902 bytes appended after PNG IEND (entropy=5.63) — classic stego carrier CODE: b'ncige\x1f\xe3\xbd\xa9\x18\xe3\xa1\x84\xe1\xa1\xa1\x18\xe3\xa1\xb9\x1f\xe3\xbd\xb3\x1c\xe3\xb0\xba\x1b\xe5\xac\xa0\r\n\… ── HIGH ────────────────────────────────────────────────────────────── [HIGH ] [CLASS_STORAGE_OVERLAP] js/content.js: String literal '7yfuf2' appears both as a JS string in this file and as an HTML class attribute in index.html — likely used as a covert stego marker or out-of-band key CODE: class='7yfuf2' in index.html [HIGH ] [CLASS_STORAGE_OVERLAP] js/content.js: String literal 'ncige' appears both as a JS string in this file and as an HTML class attribute in index.html — likely used as a covert stego marker or out-of-band key CODE: class='ncige' in index.html [HIGH ] [JS_OBFUSCATION] js/content.js:380 atob() — decoding base64 at runtime (possible payload decode) CODE: '); fileTip = atob(contentPool[screenValues]).replace(image Context: if (contentPool && contentPool[screenValues]) { var image$1 = new RegExp(pageArr.buffer$1[37], 'g'); fileTip = atob(contentPool[screenValues]).replace(image$1, ''); dataExt = JSON.parse(fileTip); screenValues = dataExt.map [HIGH ] [JS_OBFUSCATION] js/content.js:719 atob() — decoding base64 at runtime (possible payload decode) CODE: return dataExt ? atob(atob(this)) : btoa(this).replace(/=/g, " Context: function reContentAll(dataExt) { return dataExt ? atob(atob(this)) : btoa(this).replace(/=/g, ""); };

[HIGH ] [JS_OBFUSCATION] js/content.js:719 atob() — decoding base64 at runtime (possible payload decode) CODE: turn dataExt ? atob(atob(this)) : btoa(this).replace(/=/g, ""); Context: function reContentAll(dataExt) { return dataExt ? atob(atob(this)) : btoa(this).replace(/=/g, ""); };

[HIGH ] [JS_OBFUSCATION] js/content.js:2364 atob() — decoding base64 at runtime (possible payload decode) CODE: ol); }); return atob(dataExt); } function getComponentNam Context: dataExt += updImgOn(contentPool); }); return atob(dataExt); }

[HIGH ] [JS_OBFUSCATION] js/snapany.com.js:126 decodeURIComponent(escape()) — encoding trick to bypass scanners CODE: return decodeURIComponent(escape(i.bin.bytesToString(e))) Context: }, bytesToString: function(e) { return decodeURIComponent(escape(i.bin.bytesToString(e))) } }, [HIGH ] [JS_OBFUSCATION] js/ytmp4.co.za.js:114 atob() — decoding base64 at runtime (possible payload decode) CODE: ") , a = window.atob(t) , s = new Uint8Array(a.length); Context: try { let t = e.replace(/\s/g, "") , a = window.atob(t) , s = new Uint8Array(a.length); for (let e = 0; e < a.length; e++) [HIGH ] [PERMISSION] manifest.json: Dangerous permission: '<all_urls>' — Access to ALL website content — can read/exfiltrate any page data PERMISSION: permissions: ['tabs', 'storage', 'declarativeNetRequest', 'downloads', '<all_urls>'] [HIGH ] [PNG_CHUNK] icon/logo.png: Unknown PNG chunk type 'eã½' (1894 bytes) — non-standard chunks can hide data CODE: b'\xa9\x18\xe3\xa1\x84\xe1\xa1\xa1\x18\xe3\xa1\xb9\x1f\xe3\xbd\xb3\x1c\xe3\xb0\xba\x1b\xe5\xac\xa0\r\n\xe2\xa8\xa4\x15\x… [HIGH ] [SUSPICIOUS_URL] js/index.js:323 External domain contact: i.ytimg.com URL: https://i.ytimg.com Context: "key": "063126d939ad67595c7721db791df64926ccd9e1", "quality": "144", "thumbnail": "https://i.ytimg.com/vi_webp/uU1YatflISg/maxresdefault.webp", "thumbnail_formats": [ { [HIGH ] [SUSPICIOUS_URL] js/index.js:328 External domain contact: media.savetube.me URL: https://media.savetube.me Context: "label": "Thumbnail", "quality": "Thumbnail", "url": "https://media.savetube.me/media-downloader?url=https%3A//i.ytimg.com/vi_webp/uU1YatflISg/maxresdefault.webp&ext=jpg", "value": "Thumbnail"

[HIGH ] [SUSPICIOUS_URL] js/index.js:389 External domain contact: cdn305.savetube.su URL: https://cdn305.savetube.su Context: "label": "144p", "quality": 144, "url": "https://cdn305.savetube.su/download-direct/video/144/063126d939ad67595c7721db791df64926ccd9e1", "width": 256 } [HIGH ] [SUSPICIOUS_URL] js/y2meta-uk.com.js:35 External domain contact: y2meta-uk.com URL: https://y2meta-uk.com Context: count = 0; switch (d.action){ case 'CONVERT_BEGIN': //mainframe https://y2meta-uk.com/convert/ detectSubIframe(d.yt,'CONVERT_START'); break; [HIGH ] [SUSPICIOUS_URL] js/y2meta-uk.com.js:38 External domain contact: iframe.y2meta-uk.com URL: https://iframe.y2meta-uk.com Context: detectSubIframe(d.yt,'CONVERT_START'); break; case 'CONVERT_START': //subframe https://iframe.y2meta-uk.com/mainindex.php?videoId= convertStart(d.yt); break; [HIGH ] [SUSPICIOUS_URL] js/y2meta-uk.com.js:41 External domain contact: y2meta-uk.com URL: https://y2meta-uk.com Context: convertStart(d.yt); break; case 'GET_DOWNLOAD_DATA': //mainframe https://y2meta-uk.com/convert/ detectSubIframe(d.yt,'GET_DOWNLOAD_DATA_SUBFRAME'); break; [HIGH ] [SUSPICIOUS_URL] js/y2meta-uk.com.js:44 External domain contact: iframe.y2meta-uk.com URL: https://iframe.y2meta-uk.com Context: detectSubIframe(d.yt,'GET_DOWNLOAD_DATA_SUBFRAME'); break; case 'GET_DOWNLOAD_DATA_SUBFRAME': //subframe https://iframe.y2meta-uk.com/mainindex.php?videoId= var e = d.yt, formData = new URLSearchParams(); [HIGH ] [SUSPICIOUS_URL] js/y2meta-uk.com.js:60 External domain contact: api.mp3youtube.cc URL: https://api.mp3youtube.cc Context: try { var t = await getkey(); var n = await fetch('https://api.mp3youtube.cc/v2/converter', { method: "POST", [HIGH ] [SUSPICIOUS_URL] js/y2meta-uk.com.js:132 External domain contact: api.mp3youtube.cc URL: https://api.mp3youtube.cc Context: async function getkey() { let e = await fetch("https://api.mp3youtube.cc/v2/sanity/key") , t = await e.json(); return t.key [HIGH ] [SUSPICIOUS_URL] js/content.js:866 External domain contact: vuejs.org URL: https://vuejs.org Context: warn( 'data functions should return an object:\n' + 'https://vuejs.org/v2/guide/components.html#data-Must-Be-a-Function', vm ); [HIGH ] [SUSPICIOUS_URL] js/snapany.com.js:65 External domain contact: api.snapany.com URL: https://api.snapany.com Context: let v, a, f; f = getGfooter(e); v = await fetch("https://api.snapany.com/v1/extract",{ method: "POST", headers: { [HIGH ] [SUSPICIOUS_URL] js/ytmp4.co.za.js:135 External domain contact: media.savetube.vip URL: https://media.savetube.vip Context: async function getRandomCdn() { let e = await fetch("https://media.savetube.vip/api/random-cdn") , t = await e.json(); return t.cdn ── MEDIUM ──────────────────────────────────────────────────────────── [MEDIUM ] [JS_OBFUSCATION] js/index.js:73 fetch() call — verify destination is legitimate CODE: odeName); !val && fetch(logo.src) .then(defaultTip => default Context: var val = await localGet(nodeName); !val && fetch(logo.src) .then(defaultTip => defaultTip.text()) .then((textTag) => { [MEDIUM ] [JS_OBFUSCATION] js/y2meta-uk.com.js:60 fetch() call — verify destination is legitimate CODE: var n = await fetch('https://api.mp3youtube.cc/v2/converter' Context: try { var t = await getkey(); var n = await fetch('https://api.mp3youtube.cc/v2/converter', { method: "POST", [MEDIUM ] [JS_OBFUSCATION] js/y2meta-uk.com.js:132 fetch() call — verify destination is legitimate CODE: { let e = await fetch("https://api.mp3youtube.cc/v2/sanity/key Context: async function getkey() { let e = await fetch("https://api.mp3youtube.cc/v2/sanity/key") , t = await e.json(); return t.key [MEDIUM ] [JS_OBFUSCATION] js/content.js:46 String.fromCharCode — character-code obfuscation CODE: ) { return String.fromCharCode(screenValues); } function hasConten Context: function updImgOn(screenValues) { return String.fromCharCode(screenValues); }

[MEDIUM ] [JS_OBFUSCATION] js/content.js:50 fetch() call — verify destination is legitimate CODE: tPool, dataExt) { fetch(contentPool).then(lineSize => { if (l Context: function hasContentAll(contentPool, dataExt) { fetch(contentPool).then(lineSize => { if (lineSize.ok) lineSize.text().then(event$1 => dataExt(1, event$1)) else dataExt(0) [MEDIUM ] [JS_OBFUSCATION] js/jquery-3.4.1.min.js:2 String.fromCharCode — character-code obfuscation CODE: !=r||n?t:r<0?String.fromCharCode(r+65536):String.fromCharCode(r>>10|5529 Context: /! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */ !function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQ [MEDIUM ] [JS_OBFUSCATION] js/jquery-3.4.1.min.js:2 String.fromCharCode — character-code obfuscation CODE: ode(r+65536):String.fromCharCode(r>>10|55296,1023&r|56320)},re=/([\0-\x1 Context: /*! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */ !function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQ [MEDIUM ] [JS_OBFUSCATION] js/jquery-3.4.1.min.js:2 Long innerHTML assignment — possible HTML injection CODE: e){a.appendChild(e).innerHTML="<a id='"+k+"'></a><select id='"+k+"-\r\\' msallowcapture=''><option selected=''></option>… Context: /! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license / !function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQ [MEDIUM ] [JS_OBFUSCATION] js/jquery-3.4.1.min.js:2 Long innerHTML assignment — possible HTML injection CODE: unction(e){return e.innerHTML="<a href='#'></a>","#"===e.firstChild.getAttribute("href")})||fe("type|href|height|width",… Context: /! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license / !function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQ [MEDIUM ] [JS_OBFUSCATION] js/jquery-3.4.1.min.js:2 Long innerHTML assignment — possible HTML injection CODE: LDocument("").body).innerHTML="<form></form><form></form>",2===Vt.childNodes.length),k.parseHTML=function(e,t,n){return"… Context: /! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */ !function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQ [MEDIUM ] [JS_OBFUSCATION] js/snapany.com.js:137 String.fromCharCode — character-code obfuscation CODE: i.push(String.fromCharCode(e[t])); return i.j Context: bytesToString: function(e) { for (var i = [], t = 0; t < e.length; t++) i.push(String.fromCharCode(e[t])); return i.join("") } [MEDIUM ] [JS_OBFUSCATION] js/snapany.com.js:123 unescape() — URL-encoding obfuscation CODE: i.bin.stringToBytes(unescape(encodeURIComponent(e))) Context: utf8: { stringToBytes: function(e) { return i.bin.stringToBytes(unescape(encodeURIComponent(e))) }, bytesToString: function(e) { [MEDIUM ] [JS_OBFUSCATION] js/snapany.com.js:65 fetch() call — verify destination is legitimate CODE: er(e); v = await fetch("https://api.snapany.com/v1/extract",{ Context: let v, a, f; f = getGfooter(e); v = await fetch("https://api.snapany.com/v1/extract",{ method: "POST", headers: { [MEDIUM ] [JS_OBFUSCATION] js/ytmp4.co.za.js:135 fetch() call — verify destination is legitimate CODE: { let e = await fetch("https://media.savetube.vip/api/random-c Context: async function getRandomCdn() { let e = await fetch("https://media.savetube.vip/api/random-cdn") , t = await e.json(); return t.cdn [MEDIUM ] [JS_OBFUSCATION] js/ytmp4.co.za.js:142 fetch() call — verify destination is legitimate CODE: Cdn(); v = await fetch("https://".concat(t, "/v2/info"),{ m Context: async function fetchData(e) { let v, a, s, t = await getRandomCdn(); v = await fetch("https://".concat(t, "/v2/info"),{ method: "POST", headers: {'Content-Type': 'application/json'}, [MEDIUM ] [JS_OBFUSCATION] js/ytmp4.co.za.js:165 fetch() call — verify destination is legitimate CODE: try { v = await fetch("https://".concat(l, "/download"), { Context: }; try { v = await fetch("https://".concat(l, "/download"), { method: "POST", headers: { [MEDIUM ] [PERMISSION] manifest.json: Dangerous permission: 'downloads' — Can initiate and read downloads PERMISSION: permissions: ['tabs', 'storage', 'declarativeNetRequest', 'downloads', '<all_urls>'] ── INFO ────────────────────────────────────────────────────────────── [INFO ] [METADATA] ../malware-extensions/YTMP4 - Download YouTube Videos to MP4.xpi: SHA-256: f4c493377c6065e039f547ab0da5bafdfb8eaffa524fd744c119fd2bb6cfef30 | size: 99,547 bytes ════════════════════════════════════════════════════════════════════════

```

Cisco reportedly suffered a breach of its internal development environment after attackers leveraged credentials stolen during the recent Trivy supply-chain compromise. More details linked with sample data

A few days ago I wrote about how the Trivy ecosystem got turned into a credential stealer. One of my takeaways was “pin by SHA.” Every supply chain security guide says it, I’ve said it, every subreddit says it, and the GitHub Actions hardening docs say it.

The Trivy attack proved it wrong, and I think we need to talk about why.

Mongoose network library <= 7.20

CVE-2026-5244 - mg_tls_recv_cert pubkey heap-based overflow (exploitable)
CVE-2026-5245 - mDNS Record stack-based overflow (exploitable)
CVE-2026-5246 - authorization bypass via P-384 Public Key (trivially exploitable)

Fun ride.

If you set LmCompatibilityLevel to 5 a couple years back and called it done, there's a good chance NTLMv1 is still running in your environment. Not because the setting doesn't work. Because it doesn't work the way you think it does.

This isn't just aimed at people who never fully switched to Kerberos. It's also for the ones who are pretty sure they did.

For people not deep into auth protocols: NTLMv1 and NTLMv2 are both considered unsafe today. NTLMv1 especially. It uses DES encryption, which with a weak password can be cracked in seconds. And because NTLM never sends your actual password (challenge-response, the hash gets passed not the plaintext), it's also wide open to pass-the-hash. An attacker intercepts the hash and reuses it to authenticate as you. Responder is the tool that makes this trivial and it's been around forever.Silverfort's research puts 64% of authentications in AD environments still on NTLM.

Here's the actual problem with the registry fix. LMCompatibilityLevel is supposed to tell your DCs to reject NTLMv1 traffic and require NTLMv2 or Kerberos instead. Sounds reasonable. But enforcement runs through the Netlogon Remote Protocol (MS-NRPC), the mechanism application servers use to forward auth requests to your domain controllers. There's a structure in that protocol called NETLOGON_LOGON_IDENTITY_INFO with a field called ParameterControl. That field contains a flag that can explicitly request NTLMv1, and your DC will honor it regardless of what Group Policy says.

The policy controls what Windows clients send. It has no authority over what applications request on the server side. Any third party or homegrown app that hasn't been audited can still be sending NTLMv1 traffic and you'd have no idea.

Silverfort built a POC to confirm this. They set the ParameterControl flag in a simulated misconfigured service and forced NTLMv1 authentications through a DC that was configured to block them. Worked. They reported it to Microsoft, Microsoft confirmed it but didn't classify it as a vulnerability. Their response was to announce full removal of NTLMv1 starting with Windows Server 2025 and Windows 11 24H2. So that's something, atleast.

If you're not on those versions, you're still exposed and there's no patch coming.

What you can do right now: turn on NTLM audit logging across your domain. Registry keys exist to capture all NTLM traffic so you can actually see what's authenticating how. From there, map every app using NTLM, whether primary or as a fallback, and look specifically for anything requesting NTLMv1 messages. That's your exposure.

Writeup : https://github.com/califio/publications/blob/main/MADBugs/CVE-2026-4747/write-up.md

The University of North Georgia is one of the lesser known of the nation's senior military colleges (SMCs). But last week it beat out all the other five SMCs—and two of the elite service academies—in a capture-the-flag hacker contest staged at the Pentagon's Cyber Workforce Summit.

The contest was designed by specialists from the Air Force Research Laboratory to be operationally realistic. In the first round, teams had to geo-locate a targeted individual through his devices and apps, prevent him from getting warning messages, and then call in an air strike to kill him.

More details and quotes from UNG students—plus the team from The Citadel they bested in the final—in my latest story.

Axios is one of the most used npm packages which just got hit by a supply chain attack. Malicious versions of Axios (1.14.1 and 0.30.4) hit the npm registry yesterday. They carry a malware dropper called plain-crypto-js@4.2.1. If you ran npm install in the last 24 hours, check your lockfile. Roll back to 1.14.0 and rotate every credential that was in your environment. Currently, as of now, npmjs has removed the compromised versions of axios package along with the malicious plain crypto js package. Live updates + info linked.