The Axios Breach Started with a Plaintext Token — Here's How I Keep Zero Secrets in My Repos

Last week, a North Korean state actor compromised the axios npm package — 100 million weekly downloads — and pushed a cross-platform RAT to every machine that ran npm install during a three-hour window. The entire attack chain started with one thing: a long-lived npm token stored in plaintext on a developer's machine. The attacker social-engineered the maintainer into installing malware. The malware harvested the token. The token was used to publish malicious versions. Even though the project had OIDC trusted publishing configured — the "right" way — the legacy plaintext token sitting alongside it provided a bypass. One plaintext secret. 100 million affected installs. This is not a one-off The axios breach fits a pattern that's accelerating: 28.65 million new hardcoded secrets were pushed to public GitHub repos in 2025 — up 34% year-over-year ( GitGuardian, 2026 ) 64% of secrets leaked in 2022 were still active in 2026 — nobody rotated them AI-assisted commits leak secrets at 2x the ba