MCP Connector Poisoning: How Compromised npm Packages Hijack Your AI Agent

This article was originally published on LucidShark Blog . On March 31, 2026, the axios npm package, one of the most-downloaded JavaScript libraries in existence with over 100 million weekly installs, was compromised via a hijacked maintainer account. Two malicious versions injected a hidden dependency that silently deployed a cross-platform Remote Access Trojan on macOS, Windows, and Linux. After execution, the malware erased itself from node_modules, leaving no visible trace. The timing was brutal. Developers worldwide running npm install or npm update on projects with a caret dependency on axios (the default) pulled the compromised version without any indication that anything was wrong. But the story gets worse when you factor in the new reality of AI-assisted development: coding agents do not wait for human approval before running npm install. ⚠️ The new threat model: AI coding agents like Claude Code, Cursor, and GitHub Copilot Workspace autonomously execute npm install, pip insta

MCP Connector Poisoning: How Compromised npm Packages Hijack Your AI Agent

Related Articles

Building DNS query tool from scratch using C

How to build .NET obfuscator - Part I

How to Use Traceroute and MTR to Diagnose Network Issues

apt-key Deprecation: Add Repositories with GPG on Ubuntu

How To Use Variadic Functions in Go

Related Articles

How-To
Building DNS query tool from scratch using C
Reddit Programming • 1d ago

How-To
How to build .NET obfuscator - Part I
Reddit Programming • 2d ago

How-To
How to Use Traceroute and MTR to Diagnose Network Issues
DigitalOcean Tutorials • 1w ago

How-To
apt-key Deprecation: Add Repositories with GPG on Ubuntu
DigitalOcean Tutorials • 1w ago

How-To
How To Use Variadic Functions in Go
DigitalOcean Tutorials • 2w ago