Axios compromised on NPM – Malicious versions drop remote access trojan
by mtud on 3/31/2026, 2:54:17 AM
Comments
by: postalcoder
PSA: npm/bun/pnpm/uv now all support setting a minimum release age for packages.<p>I also have `ignore-scripts=true` in my ~/.npmrc. Based on the analysis, that alone would have mitigated the vulnerability. bun and pnpm do not execute lifecycle scripts by default.<p>Here's how to set global configs to set min release age to 7 days:<p><pre><code> ~/.config/uv/uv.toml exclude-newer = "7 days" ~/.npmrc min-release-age=7 # days ignore-scripts=true ~/Library/Preferences/pnpm/rc minimum-release-age=10080 # minutes ~/.bunfig.toml [install] minimumReleaseAge = 604800 # seconds </code></pre> (Side note, it's wild that npm, bun, and pnpm have all decided to use different time units for this configuration.)<p>If you're developing with LLM agents, you should also update your AGENTS.md/CLAUDE.md file with some guidance on how to handle failures stemming from this config as they <i>will</i> cause the agent to unproductively spin its wheels.
3/31/2026, 4:05:59 AM
by: h4ch1
I can't even imagine the scale of the impact with Axios being compromised, nearly every other project uses it for some reason instead of fetch (I never understood why).<p>Also from the report:<p>> Neither malicious version contains a single line of malicious code inside axios itself. Instead, both inject a fake dependency, plain-crypto-js@4.2.1, a package that is never imported anywhere in the axios source, whose only purpose is to run a postinstall script that deploys a cross-platform remote access trojan (RAT)<p>Good news for pnpm/bun users who have to manually approve postinstall scripts.
3/31/2026, 3:40:50 AM
by: vsgherzi
Not to beat a dead horse but I see this again and again with dependencies. Each time I get more worried that the same will happen with rust. I understand the fat std library approach won’t work but I really still want a good solution where I can trust packages to be safe and high quality.
3/31/2026, 4:41:20 AM
by: wps
Genuinely how are you supposed to make sure that none of the software you have on your system pulls this in?<p>It’s things like this that make me want to swap to Qubes permanently, simply as to not have my password manager in the same context as compiling software ever.
3/31/2026, 4:31:17 AM
by: tkel
83M weekly downloads! JS package managers (pnpm, bun) now will ignore postinstall scripts by default. Except for npm, it still runs them for legacy reasons.<p>You should probably set your default to not run those scripts. They are mostly unnecessary.<p><pre><code> ~/.npmrc : ignore-scripts=true</code></pre>
3/31/2026, 5:01:23 AM
by: jadar
How much do you want to bet me that the credential was stolen during the previous LiteLLM incident? At what point are we going to have to stop using these package managers because it's not secure? I've got to admit, it's got me nervous to use Python or Node.js these days, but it's really a universal problem.
3/31/2026, 3:34:59 AM
by: jmward01
This may not be popular, but is there a place for required human actions or just timed actions to slow down things like this? For instance, maybe a GH action to deploy requires a final human click and to change that to cli has a 3 day cooling period with mandatory security emails sent out. Similarly, you switch to read only for 6 hrs after an email change. There are holes in these ideas but the basic concept is to treat security more like physical security, your goal isn't always to 100% block but instead to slow an attacker for xxx minutes to give the rest of the team time to figure out what is going on.
3/31/2026, 4:12:24 AM
by: acheong08
There are so many scanners these days these things get caught pretty quick. I think we need either npm or someone else to have a registry that only lets through packages that pass these scanners. Can even do the virustotal thing of aggregating reports by multiple scanners. NPM publishes attestation for trusted build environments. Google has oss-rebuild.<p>All it takes is an `npm config set` to switch registries anyways. The hard part is having a central party that is able to convince all the various security companies to collaborate rather than having dozens of different registries each from each company.<p>Rather than just a hard-coded delay, I think having policies on what checks must pass first makes sense with overrides for when CVEs show up.<p>(WIP)
3/31/2026, 4:39:38 AM
by: bluepeter
Min release age sucks, but we’ve been here before. Email attachments used to just run wild too, then everyone added quarantine delays and file blocking and other frictions... and it eventually kinda/sorta worked. This does feel worse, though, with fewer chokepoints and execution as a natural part of the expectation.<p>Edit: bottom line is installs are gonna get SOOO much more complicated. You can already see the solution surface... Cooling periods, maintainer profiling, sandbox detonation, lockfile diffing, weird publish path checks. All adds up to one giant PITA for fast easy dev.
3/31/2026, 4:14:30 AM
by: Surac
All these supply chain attacks make me nervous about the apps I use. It would be valuable info if an app used such dependencies, but on the other hand, programmers would cut their sales if they gave you this info.
3/31/2026, 5:03:34 AM
by: woeirua
Supply chain attacks are so scary that I think most companies are going to use agents to hard fork their own versions of a lot of these core libraries instead. It wasn’t practical before. It’s definitely much more doable today.
3/31/2026, 4:31:54 AM
by: marjipan200
Incident tracking:<p><a href="https://github.com/axios/axios/issues/10604" rel="nofollow">https://github.com/axios/axios/issues/10604</a>
3/31/2026, 3:32:47 AM
by: mtud
Supply chain woes continue
3/31/2026, 2:54:17 AM
by:
3/31/2026, 4:09:52 AM
by: koolba
> Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project's normal GitHub Actions CI/CD pipeline.<p>Doesn’t npm mandate 2FA as of some time last year? How was that bypassed?
3/31/2026, 3:28:54 AM
by: 0x500x79
Pin your dependencies folks! Audit and don't upgrade to every brand new version.
3/31/2026, 4:09:45 AM
by: dhruv3006
174025 dependents.
3/31/2026, 4:17:29 AM
by: rtpg
Please can we just have a 2FA step on publishing? Do we really need a release to be entirely and fully automated?<p>It won't stop all attacks but definitely would stop some of these
3/31/2026, 4:28:30 AM
by: 8cvor6j844qw_d6
Should increase the delay to dependency updates.
3/31/2026, 3:34:57 AM
by: tonymet
Has anyone tested general purpose malware detection on supply chains ? Like clamscan . I tried to test the LiteLLM hack but the affected packages had been pulled. Windows Defender AV has an inference based detector that may work when signatures have not yet been published
3/31/2026, 3:41:14 AM
by:
3/31/2026, 4:24:23 AM
by: 0x1ceb00da
Coded has zero nom dependencies. Neat!
3/31/2026, 4:14:57 AM
by: stevenmh
[dead]
3/31/2026, 4:53:41 AM
by: imrozim
[flagged]
3/31/2026, 4:10:42 AM
by: franciscop
[flagged]
3/31/2026, 4:31:55 AM
by: slopinthebag
It's reasons like this why I refuse to download Node or use anything NPM. Thankfully other languages are better anyways.
3/31/2026, 3:33:52 AM
by: himata4113
I recommend everyone to use bwrap if you're on linux and alias all package managers / anything that has post build logic with it.<p>I have bwrap configured to override: npm, pip, cargo, mvn, gradle, everything you can think of and I only give it the access it needs, strip anything that is useless to it anyway, deny dbus, sockets, everything. SSH is forwarded via socket (ssh-add).<p>This limits the blast radius to your CWD and package manager caches and often won't even work since the malware usually expects some things to be available which are not in a permissionless sandbox.<p>You can think of it as running a docker container, but without the requirement of having to have an image. It is the same thing flatpak is based on.<p>As for server deployments, container hardening is your friend. Most supply chain attacks target build scripts so as long as you treat your CI/CD as an untrusted environment you should be good - there's quite a few resources on this so won't go into detail.<p>Bonus points: use the same sandbox for AI.<p>Stay safe out there.
3/31/2026, 4:10:05 AM