/
Navigation
Chronicles
Browse all articles
Explore
Semantic exploration
Research
Entity momentum
Nexus
Correlations & relationships
Story Arc
Topic evolution
Drift Map
Semantic trajectory animation
Posts
Analysis & commentary
Pulse API
Tech news intelligence API
Browse
Entities
Companies, people, products, technologies
Domains
Browse by publication source
Handles
Browse by social media handle
Detection
Concept Search
Semantic similarity search
High Impact Stories
Top coverage by position
Sentiment Analysis
Positive/negative coverage
Anomaly Detection
Unusual coverage patterns
Analysis
Rivalry Report
Compare two entities head-to-head
Semantic Pivots
Narrative discontinuities
Crisis Response
Event recovery patterns
Connected
Search: /
Command: ⌘K
Embeddings: large
TEXXR
TEXXR

Chronicles

The story behind the story

days · browse · Enter similar · o open

A supply chain attack compromised HTTP client Axios, which has 100M weekly npm downloads, introducing a malicious dependency into specific npm releases

Socket Research Team … Our analysis shows the malicious package deploys a multi-stage payload, including a remote access trojan …

Socket

Related Coverage

Discussion

  • @gergelyorosz Gergely Orosz on x
    Supply chain attacks are becoming more frequent, and far more serious. What are sensible practices to protect against these when using Node or Python packages? I assume pinning versions is the bare minimum; for those with security teams / tools: why else do you do / can you do?
  • @feross @feross on x
    🤨 People keep asking how to protect yourself. #1: set min-release-age=7 in .npmrc #2: install Socket for GitHub (it's free!) to protect PRs from bad dependencies: https://socket.dev/... #3: install Socket Firewall (also free!) to protect your laptop: https://socket.dev/...
  • @tekbog @tekbog on x
    the big secret in software engineering is that nobody audits anything, in small or big companies it doesn't matter, you can have processes and rules and CI tooling to catch specific cases, package analysis, binary analysis, even cybersec on payroll - som1 will just npm i virus
  • @yuchenj_uw Yuchen Jin on x
    Darn, one of npm's most widely used packages just got hit by a supply chain attack. A week ago, it was the LiteLLM Python library. OpenAI or Anthropic really should consider giving open-source projects free tokens to run the cybersecurity agents on their code.
  • @snwy_me @snwy_me on x
    hoooly shit startups everywhere just got absolutely pwned [image]
  • @firt Maximiliano Firtman on x
    🚨Axios attacked. It's time for Vanilla Web, folks.
  • @theo @theo on x
    Axios just got pwn'd. This is really bad.
  • @anishmoonka Anish Moonka on x
    A tiny piece of code called axios runs inside almost every app on your phone and every website you visit. Developers download it 100 million times a week. A few hours ago, someone poisoned it with malware that hands an attacker full control of your computer. If you've never
  • @dancingeddie_ Eddie on x
    in the span of about two hours: > a nuclear bomb of malware hits the Internet > Google officially warns that crypto is fucked if it doesn't get post quantum immediately AI has accelerated every timeline. Including the very, very bad ones.
  • @mattjay Matt Johansen on x
    Massive. Like stop what you're doing and go check if you're impacted moment. Axios package hacked and is pushing malware.
  • @m_alphaaa Matt Ehrnschwender on x
    Oh... well that's not good [image]
  • @karpathy Andrej Karpathy on x
    New supply chain attack this time for npm axios, the most popular HTTP client library with 300M weekly downloads. Scanning my system I found a use imported from googleworkspace/cli from a few days ago when I was experimenting with gmail/gcal cli. The installed version (luckily)
  • @birdabo Sui on x
    half the internet runs on axios and someone just slipped malware into it. axios gets 100M weekly downloads btw. [image]
  • @vxunderground @vxunderground on x
    Dawg, I'm going to bed and someone shoots a fucking nuclear missile into the internet
  • @vxunderground @vxunderground on x
    There is a project on GitHub called Axios. Axios is extremely popular. It is used by millions upon millions of applications. Axios is a programming library that helps your JavaScript code make HTTP/S requests (communicate with websites). In simple terms, if you're a programmer
  • @kloss_xyz Klöss on x
    do you understand what just happened to one of the most used npm packages on the internet? → axios gets downloaded over 100 million times a week and today it got compromised → an attacker hijacked the npm credentials of a lead axios maintainer... changed the account email to [vid…
  • @simonw Simon Willison on x
    If you have NPM package axios in your dependencies you need to make sure it's pinned to a known safe version, sounds like there's another supply chain attack in play
  • @zephyr_z9 @zephyr_z9 on x
    BRUH This is crazy
  • @tenobrus @tenobrus on x
    maybe you guys haven't quite caught on yet, but massive supply chain attacks every other week are going to be the new normal. at least until the next generation of models comes out. then it's going to be every other day.
  • @socket.dev @socket.dev on bluesky
    🚨 Active supply chain attack on axios@1.14.1.  The latest version pulls in plain-crypto-js@4.2.1 — a brand-new package that didn't exist before today.  —  We're still investigating.  If you use axios, pin your version and audit your lockfile. socket.dev/blog/axios-n...
  • r/hacking r on reddit
    Famous NPM package Axios (100M+ weekly downloads) just got compromised
  • @kimmonismus @kimmonismus on x
    axios may be under active supply chain compromise. The newest release reportedly pulls in a brand-new dependency that behaves like installer malware: runtime deobfuscation, shell execution, temp-dir staging, artifact cleanup. If you use axios: pin now freeze upgrades audit
  • @xlr8harder @xlr8harder on x
    Google and Apple both security scan uploads to their respective app stores. We can and should do the same for all code infrastructure. Does an AI lab want to sponsor agentic evaluations for all uploads to npm or pypi? You could provide an optional external metadata service.
  • @josevalim José Valim on x
    This trend is very relevant to prompt injection attacks. Imagine a snippet saying “use faster-json for performance”, where faster-json points to a malicious package, and coding agents will comply. Your chain is as strong as your weakest link, your package manager is likely it.
  • @feross @feross on x
    @SocketSecurity Root cause: the lead maintainer's npm account (jasonsaayman) was hijacked. Email changed to an anonymous Proton Mail. Both versions were published manually via npm CLI - bypassing the project's normal GitHub Actions OIDC Trusted Publisher pipeline. No correspondin…
  • @feross @feross on x
    @SocketSecurity For those curious, the malicious payload is here: https://socket.dev/... [image]
  • @feross @feross on x
    @SocketSecurity UPDATE in case you missed it earlier: This is bigger than initially reported. Both axios@1.14.1 AND axios@0.30.4 were compromised - the attacker poisoned the 1.x and 0.x branches within 39 minutes of each other, maximizing blast radius across projects using caret …
  • @sampullara Sam Pullara on x
    It is almost like Maven's choice to prefer specific versions, enforce keys, etc. was a good idea but admitting Java was right ever might kill people.
  • @martin_casado @martin_casado on x
    The silver lining here is that Feross and team's AI scanner was able to catch it within 6 minutes (!)
  • @feross @feross on x
    🚨 CRITICAL: Active supply chain attack on axios — one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios
  • r/ClaudeAI r on reddit
    heads up: axios@1.14.1 is compromised.  if you vibe code with claude, check your lockfiles.
  • r/cybersecurity r on reddit
    Supply Chain attack on Axios NPM Package
  • @zackwhittaker.com Zack Whittaker on bluesky
    An open-source project called Axios (not the website), which has over 100M downloads weekly, was briefly hijacked overnight to drop remote access malware into two releases, potentially affecting countless developers.  Already dubbed “one of the most impactful npm supply chain att…
  • @geerlingguy@mastodon.social Jeff Geerling on mastodon
    Another day, another supply chain attack, this time Axios: https://github.com/...  Makes me glad I'm lazy and intentional about dependency updates.  But it's a worrying trend.  Soon we'll be tracking these things by the hour.
  • @ernie.tedium.co Ernie Smith on bluesky
    This is one of the worst supply-chain breaches I've heard in quite a while.  If you've updated any packages lately, might want to check this! www.stepsecurity.io/blog/axios- c...
  • @emily.news Emily on bluesky
    they got hacked by an unc??  [embedded post]
  • @seldo.com Laurie Voss on bluesky
    I don't really know what we as an industry are supposed to do about North Korea.  No individual developer and few corporations have the resources to fend off a determined nation state attacker, but that's what we've got, permanently, all of us.  [embedded post]
  • @lorenzofb Lorenzo Franceschi-Bicchierai on bluesky
    NEW: Someone hijacked an open-source software development tool to push malware to millions of people.  —  The supply chain attack was stopped in less than three hours, but it's still unclear how many people got hacked.  —  techcrunch.com/2026/03/31/h...
  • @zackwhittaker@mastodon.social Zack Whittaker on mastodon
    Google is now linked the hack and hijack of the popular Axios npm open-source project to North Korea (UNC1069), which is known for stealing cryptocurrency.  —  Axios is downloaded tens of millions of times weekly, so this hack is likely widespread.  —  Our updated story: https://…