On March 31, three software supply chain incidents appeared in a single day's coverage. A supply chain attack compromised Axios, an HTTP client with 100 million weekly npm downloads — meaning virtually every web company in the world uses it. Separately, Claude Code's source code leaked via a misconfigured npm package. And threat actors stole Cisco's source code by breaching its internal development environment. Three incidents, three vectors, one infrastructure. The foundation of modern software — open-source package registries and internal code repositories — had its worst day in years.
The Eight-Year Arc
Supply chain attacks against the software ecosystem have been accelerating since at least 2018, when a hacker gained access to Event-Stream, a JavaScript library with over 2 million weekly downloads, and inserted cryptocurrency-stealing code. It was one of the first high-profile cases of a trusted open-source package being weaponized against its own users.
Since then, each year has produced a larger incident with a wider blast radius.
-
NOV 2018A hacker compromises Event-Stream, a JavaScript library with 2M+ weekly downloads. The first major npm supply chain attack.
-
FEB 2021A researcher breaches 35+ companies — including Microsoft and Apple — by exploiting dependency confusion, where package managers override local packages with identically named public ones.
- Oct 2021 CISA warns of malware in UAParser.js, an npm package with 6M+ weekly downloads.
- Jan 2022 An open-source maintainer sabotages his own library, expressing regret for supporting "Fortune 500s for free." The social contract frays.
- May 2022 The popular Python library "ctx" and a PHP package are both compromised. The attack crosses language ecosystems.
-
APR 2023Mandiant reveals that the 3CX supply chain hack — affecting enterprise VoIP — was linked to North Korea. Nation-states enter the supply chain.
- Dec 2024 Researchers find a yearlong supply chain attack targeting malicious packages across multiple registries.
- Apr 2025 "Slopsquatting" emerges as a vector: attackers register package names that AI coding assistants hallucinate, turning the tools into unwitting attack delivery systems.
- Sep 2025 18 npm packages injected with malware. GitHub outlines plans to secure npm. The registry itself acknowledges the problem.
The trajectory is consistent: the blast radius grows with each generation. Event-Stream reached 2 million weekly downloads. UAParser.js reached 6 million. Axios reaches 100 million. The packages being compromised aren't obscure libraries — they're the ones everyone depends on.
The AI Amplifier
The AI boom didn't create supply chain risk. It amplified it. AI development is fast, dependency-heavy, and built on the same open-source registries that have been getting attacked for eight years. Every AI company ships code with hundreds of npm and PyPI dependencies. Every AI coding assistant recommends packages without verifying their provenance.
The "slopsquatting" vector — where attackers register packages with names that AI coding tools hallucinate — is the clearest example. When a developer asks an AI assistant for help and the assistant suggests importing a package that doesn't exist, an attacker can create that package and fill it with malware. The AI becomes the distribution mechanism for the attack.
Today's Claude Code incident illustrates the irony from the other direction. Claude Code's own source code leaked through a misconfigured npm package — the same ecosystem that Claude Code helps developers navigate. The AI tool that writes code depending on npm packages was itself exposed through npm. The tool and the vulnerability share the same infrastructure.
The Scale Problem
One hundred million weekly downloads means Axios is installed in virtually every web application stack on earth. A supply chain compromise at this scale doesn't need to target specific companies. It targets the infrastructure itself — the library that every company already trusts, already uses, and never audits because it's been reliable for years.
The three incidents today represent three different failure modes:
Axios: adversarial compromise of a universal dependency. The classic supply chain attack — inject malware into a trusted package and inherit its distribution.
Claude Code: accidental exposure through misconfiguration. Not an attack but an operational failure — the kind of mistake that happens when teams ship fast under competitive pressure.
Cisco: direct breach of internal development infrastructure. Source code stolen by accessing the systems where code is written, not the registries where it's distributed.
Three vectors, one lesson: the software supply chain is attacked from every direction simultaneously, and the defenses haven't kept pace with the dependencies.
The Social Contract
The most powerful technology in history runs on packages maintained by whoever volunteers to maintain them.
In January 2022, the maintainer of a widely-used JavaScript library deliberately broke his own code, writing that he was tired of supporting Fortune 500 companies for free. It was an act of protest — and a demonstration of structural fragility. A single volunteer's frustration could cascade through millions of production systems.
The AI boom intensified this tension without resolving it. Companies valued at hundreds of billions depend on packages maintained by individuals with no security auditing, no support contracts, and no obligation to continue. GitHub has outlined plans to improve npm security. But the architecture — a global registry where anyone can publish and everyone trusts what's published — hasn't changed since 2018. The defenses improved. The foundation didn't.
OpenAI closed a $122 billion funding round on the same day Axios was compromised. The round values OpenAI's technology at the scale of a major economy. That technology — like every other AI system — runs on npm packages and Python libraries maintained by strangers on the internet. The $122 billion runs on the hundred million downloads. And nobody audits the downloads.