How we caught the Axios supply chain attack The author built a proof-of-concept AI-driven monitor that diffs package releases and flagged a malicious npm compromise of Axios that used a phantom dependency with a postinstall hook to deploy cross-platform malware. The incident ties into a wider supply-chain campaign (Trivy → LiteLLM → Telnyx → Axios) attributed to TeamPCP, prompting coordinated detection, takedown, and recommendations for registry monitoring and release soak times. #Axios #TeamPCP

A proof-of-concept AI-driven supply-chain monitor detected a malicious npm compromise in Axios, linked to a broader campaign by TeamPCP involving phantom dependencies and postinstall hooks deploying cross-platform malware. #SupplyChain #npmAttack

Supply Chain Attack on Axios Pulls Malicious Dependency from npm Attackers published compromised Axios releases (axios@1.14.1 and axios@0.30.4) that introduced a trojanized dependency plain-crypto-js@4.2.1, which uses a postinstall dropper to deliver platform-specific payloads and a macOS Mach-O RAT capable of command execution, data collection, and persistence. Socket and other researchers tracked the C2 to sfrclak[.]com, identified additional tainted packages and vendor chains, and have recommended revoking tokens, checking lockfiles, and rolling back affected versions. #Axios #plain-crypto-js

A supply chain attack compromised Axios npm releases (1.14.1 & 0.30.4) by injecting plain-crypto-js@4.2.1, a trojanized dependency delivering macOS RAT with data collection and command execution. #SupplyChain #npmAttack #USA

Compromised axios npm package delivers cross-platform RAT On March 31, 2026, an attacker hijacked an axios npm maintainer account and published malicious releases (axios@1.14.1 and 0.30.4) that added a typosquatted dependency plain-crypto-js which executed a cross-platform RAT during npm install. The compromise was active for about three hours before npm removed the packages; the RAT communicated with C2 sfrclak[.]com and delivered macOS, Windows, and Linux payloads (all containing bugs), while maintainers and npm revoked tokens and mitigations followed. #axios #plain-crypto-js

On March 31, 2026, attacker hijacked axios npm maintainer account to publish malicious versions 1.14.1 and 0.30.4 adding typosquatted dependency plain-crypto-js that deployed a cross-platform RAT during install. #npmAttack #CrossPlatform #USA

CanisterWorm: npm Publisher Compromise Deploys Backdoor Across 29+ Packages Socket’s Threat Research Team uncovered a worm-enabled npm supply chain attack that compromised legitimate publisher namespaces including @emilgroup and @teale.io, replacing package contents with a Python implant that polls an ICP canister for rotatable second-stage payloads. The campaign, dubbed CanisterWorm, uses postinstall hooks, a systemd --user persistent service named pgmon, and a deploy.js republishing worm that leverages npm publishing tokens (often published with --tag latest) to propagate. #CanisterWorm #EmilGroup

CanisterWorm campaign compromises 29+ npm packages across @emilgroup and @teale.io namespaces, deploying a Python backdoor that fetches second-stage payloads via ICP canisters. Uses npm tokens and postinstall hooks. #SupplyChain #NPMAttack

Shai-Hulud Attack Escalates: ClownStrike NPM Packages Compromised
www.potatokendra.com/2025/09/shai...
#npmattack #potatosecurity #infosec #clownstrike

Shai-Hulud Attack Escalates: CrowdStrike NPM Packages Compromised Another wave of NPM Hack.

Shai-Hulud Attack Escalates: CrowdStrike NPM Packages Compromised
www.cyberkendra.com/2025/09/shai...
#npmattack #cybersecurity #infosec #crowdstrike

Although npm has been compromised, your site is probably not affected. Read this article to help you keep calm and avoid panicking, while still keeping an eye on web security:

metadrop.net/en/articles/...

#SupplyChainAttack #npmSecurity #npmAttack

Original post on mastodon.social

All the recent supply chain attacks in #npm based on phishing are sad.

I know I would probably fall for them even tho my company does continuous phishing training, and my bank sends me a reminder to not click email links regularly (good job Fineco!).

My 2c: It's probably time for *mail […]

DuckDB Packages Compromised in Latest NPM Supply Chain Attack NPM Supply Chain Massive Security Breach

🔥 The NPM supply chain attack just got bigger!
DuckDB database packages have been compromised with crypto-stealing malware. A simple phishing email led to packages used by thousands of developers being infected.
www.cyberkendra.com/2025/09/duck...

#supplychain #npmPackage #npmattack #hack

⚠️حذّر Charles Guillemet، كبير تقنيي Ledger، من هجوم بدأ باختراق حساب NPM لمطوّر موثوق، أدخل شيفرة خبيثة تُبدّل عناوين محافظ التشفير تلقائيًا في المتصفح، ما يعرض الأموال للخطر دون علم المستخدمين. تأكّد يدويًا من العناوين قبل الموافقة. #Crypto #Security #Ledger #NPMAttack

NPM Attack on Core JavaScript Libraries Puts Millions of Crypto Users at Risk - A massive security breach has rocked the open-source ecosystem after hackers compromised widely used JavaScript libraries

NPM Attack on Core JavaScript Libraries Puts Millions of Crypto Users at Risk

#NPMAttack #javascript
chainaffairs.com/npm-attack-o...

Trusted publishing for npm packages | npm Docs Documentation for the npm registry, website, and command-line interface

Also, npm now supports trusted publishing: https://docs.npmjs.com/trusted-publishers

This means you don't need a static token in your CI/CD configuration anymore.

#npm #npmattack

Pro-tip for npm: rather than using a classic access token in your ~/.npmrc file, generate a granular access token that only has read permissions.

That way if something does compromise you, they only get access to the read token and cannot publish on your behalf.

#npm #npmattack

NPM Supply Chain Attack: Backdoor Malware Spreading | AI News JavaScript packages compromised! Learn about the NPM supply chain attack and how it exposed users to backdoor malware.

AIMindUpdate News!
Critical alert! Popular JavaScript packages were compromised in a supply chain attack, exposing users to backdoor malware. #NPMattack #SupplyChainSecurity #JavaScriptMalware

Click here↓↓↓
aimindupdate.com/2025/07/26/n...

Sophisticated npm Attack Highlights Software Supply Chain Vulnerabilities | The DefendOps Diaries Explore a sophisticated npm attack revealing software supply chain vulnerabilities and the need for enhanced security measures.

Sophisticated npm Attack Highlights Software Supply Chain Vulnerabilities

#npmattack
#softwaresupplychain
#cybersecurity
#opensourcesecurity
#maliciouspackages