The Axios library was attacked through a supply chain, with hackers using stolen npm tokens to implant a remote trojan, affecting about 80% of cloud environments
The attacker stole the npm access token of the chief maintainer of Axios, the most popular HTTP client library for JavaScript, and used that token to publish two malicious versions containing cross-platform remote access trojans (RATs) (axios@1.14.1 and axios@0.3.4), targeting macOS, Windows, and Linux systems. The malicious packages were removed from the npm registry about 3 hours after being published.
According to data from security company Wiz, Axios is downloaded over 100 million times weekly and exists in about 80% of cloud and code environments. Security company Huntress detected the first infections just 89 seconds after the malicious packages went live and confirmed that at least 135 systems were compromised during the exposure window. Notably, the Axios project had previously deployed modern security measures such as OIDC trusted publishing mechanisms and SLSA provenance proofs, but the attacker completely bypassed these defenses. Investigations revealed that while configuring OIDC, the project retained the traditional long-lived NPM_TOKEN, and npm defaults to using the traditional token when both coexist, allowing the attacker to publish without breaching OIDC.
You may also like
The impact of OUSD on Circle, Tether, and Paxos: not a single negative factor, but a more complex reshaping of competition
Li Feifei's latest long article: When video generation, robots, and NVIDIA all claim to be world models, we need a taxonomy
Blaming the desolation of the cryptocurrency world on the rise of AI is a form of intellectual laziness
Strategy Founder: The Next 10 Years of Bitcoin
Forbes Special Report: Stablecoin cross-border payments are faster now, but not cheaper yet
A valuation of 8 billion dollars, doubling in 8 months! What makes the crypto-friendly bank Erebor Bank stand out?
340 billion valuation: Li Yanhong's largest IPO, a seat in Kunlunxin's shares is hard to come by
Stablecoins are the "royalists" of the crypto world: Open USD brings the old currency system into play
Cape Verde 2-3 Argentina: The Underdog Team That Stunned the World in Defeat
Cape Verde's run ended in a 3-2 defeat to Argentina, but their journey — three unbeaten draws, one heroic goalkeeper, and a fight that pushed the defending champions to the brink — is the kind of story markets recognize too: small caps can rattle blue chips long before anyone expects it.
Semiconductor stocks plummet, yet Anthropic wants to create a 2nm chip
Where is Zhao Changpeng's billion-dollar investment going? YZi Labs' investment landscape fully revealed
Ethereum Foundation Report: A Basic Guide to Ethereum for Governments and Financial Institutions
A pre-announced harvesting case: After the cryptocurrency price dropped by 99%, the public chain Saga exited to transform into AI
When American giants collectively "defect" from Chinese AI models
BIS Report Compliance Observation: The Real Risks of Stablecoins, Not Just "Depegging"
Portugal 2-1 Croatia: Ronaldo's 20-Year Knockout-Stage Drought Ends With a Debt Finally Collected
Portugal beat Croatia 2-1 in the 2026 global football championship's knockout rounds as Ronaldo scored his first-ever knockout-stage goal, Gonçalo Ramos struck a stoppage-time winner, and VAR ruled out a late equalizer for offside.
