do you understand what just happened to one of the most used npm packages on the internet?
→ axios gets downloaded over 100 million times a week and today it got compromised
→ an attacker hijacked the npm credentials of a lead axios maintainer… changed the account email to an anonymous ProtonMail address… and manually published two poisoned versions
→ axios@1.14.1 and axios@0.30.4… neither version contains a single line of malicious code inside axios itself. instead they inject a fake dependency called plain-crypto-js that drops a remote access trojan on your machine
→ the fake dependency was staged 18 hours in advance… three separate payloads were pre-built for macOS, Windows, and Linux… both release branches were hit within 39 minutes. every trace was designed to self-destruct after execution too
→ there’s no tag in the axios GitHub repo for 1.14.1. it was published outside the normal release process entirely... bypassed CI/CD completely
→ StepSecurity called it one of the most operationally sophisticated supply chain attacks ever against a top 10 npm package
→ a routine npm install silently opens a backdoor… no warning… no suspicious code visible in axios itself
this is the wake up call all vibe coding bros need to hear right now:
→ if you installed either version… assume your system is compromised
→ pin to axios@1.14.0 or axios@0.30.3
→ rotate all secrets, API keys, SSH keys, and credentials on affected machines
→ check network logs for C2 connections
→ add –ignore-scripts to CI npm installs going forward
100 million weekly downloads and one compromised maintainer account…
that’s all it took to wreak absolute havoc
and I imagine we see a whole lot more of these… crazy times ahead for cybersecurity and vibe coding
be safe out there y’all
