Post Mortem: axios NPM supply chain compromise
by Kyro38 on 4/3/2026, 12:00:19 AM
https://github.com/axios/axios/issues/10636
Comments
by: Zopieux
Not much we didn't know (you're basically SOL since an owner was compromised), however we now have a small peek into the actual meat of the social engineering, which is the only interesting news imho: <a href="https://github.com/axios/axios/issues/10636#issuecomment-4180237789" rel="nofollow">https://github.com/axios/axios/issues/10636#issuecomment-418...</a>
4/3/2026, 2:09:58 AM
by: robshippr
The interesting detail from this thread is that every legitimate v1 release had OIDC provenance attestations and the malicious one didn't, but nobody checks. Even simpler, if you're diffing your lockfile between deploys, a brand new dependency appearing in a patch release is a pretty obvious red flag.
4/3/2026, 3:09:08 AM
by: akersten
Any good payload analysis been published yet? Really curious if this was just a one and done info stealer or if it potentially could have clawed its way deeper into affected systems.
4/3/2026, 2:08:16 AM
by: fraywing
Incredible uptick in supply chain attacks over the last few weeks.<p>I feel like npm specifically needs to up their game on SA of malicious code embedded in public projects.
4/3/2026, 1:43:48 AM
by: uticus
> March 31, around 01:00 UTC: community members file issues reporting the compromise. The attacker deletes them using the compromised account.<p>Interesting it got caught when it did.
4/3/2026, 1:30:39 AM
by: charcircuit
Does OIDC flow block this same issue of being able to use a RAT to publish a malicious package?
4/3/2026, 2:04:11 AM