The axios Attack Changed How I Think About npm Dependencies

Supply Chain Attack Defense 4-point consensus reached after the axios npm + litellm PyPI attacks — March 2026 What Happened axios (npm) — March 31, 2026: Malicious versions 1.14.1 and 0.30.4 published via compromised maintainer credentials RAT dropper injected via postinstall script in a fake dependency ( plain-crypto-js ) Self-destructed after execution — left no trace in node_modules Detected by runtime network monitoring spotting an anomalous C2 callback during CI Poisoned versions live for ~1 hour before takedown litellm (PyPI) — March 24, 2026: Version 1.82.8 compromised — exfiltrated SSH keys, AWS/GCP/Azure creds, Kubernetes configs, env vars, shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords 97M downloads/month; contagion spread to anything depending on litellm (e.g. dspy ) Only caught because the malware had an OOM bug that crashed a developer's machine Without that bug: undetected for weeks Karpathy's conclusion: "Classical software engineering

The axios Attack Changed How I Think About npm Dependencies

Related Articles

Why this Marshall is the first soundbar I've tested that truly challenges my Sonos Arc Ultra

This App Makes Even the Sketchiest PDF or Word Doc Safe to Open

References: The Alias You Didn’t Know You Needed

Pointers: The Concept Everyone Says Is Hard

Learning a Recurrent Visual Representation for Image Caption Generation

Related Articles

How-To
Why this Marshall is the first soundbar I've tested that truly challenges my Sonos Arc Ultra
ZDNet • 1h ago

How-To
This App Makes Even the Sketchiest PDF or Word Doc Safe to Open
Wired • 1h ago

How-To
References: The Alias You Didn’t Know You Needed
Medium Programming • 2h ago

How-To
Pointers: The Concept Everyone Says Is Hard
Medium Programming • 3h ago

How-To
Learning a Recurrent Visual Representation for Image Caption Generation
Dev.to • 4h ago