Welcome to Transitive Dependency Hell

At 00:21 UTC on March 31, someone published axios@1.14.1 to npm. Three hours later it was pulled. In between, every npm install and npx invocation that resolved axios@latest executed a backdoor on the installing machine. Axios has roughly 80 million weekly downloads, and here's what that three-hour window looked like from one developer's MacBook. Monday Night A developer sits down, opens a terminal, and runs a command they've run dozens of times before: npx --yes @datadog/datadog-ci --help A legitimate tool from a legitimate vendor. The --yes flag skips npm's confirmation prompt. The developer (or Claude) isn't even using the tool yet, just checking its options. npm resolves the dependency tree and starts writing packages to disk: dogapi , escodegen , esprima , js-yaml , fast-xml-parser , rc , is-docker , semver , uuid , and axios . All names you'd recognize, and all packages that individually look fine. But axios just resolved to 1.14.1 , which is not the version that Axios's maintain

Welcome to Transitive Dependency Hell

Related Articles

Start Here: Learning to develop your own way with SCSIC

Vibe Coding Isn’t for Everyone (And That’s the Point)

Sometimes We Make Mistakes (Meta’s Cost $80 Billion)

Gate.io vs KuCoin — Which Crypto Exchange Is Better? (2026)

How to Build a Real Multi-Agent Engineering Workflow With oh-my-claudecode

Related Articles

How-To
Start Here: Learning to develop your own way with SCSIC
Medium Programming • 1h ago

How-To
Vibe Coding Isn’t for Everyone (And That’s the Point)
Medium Programming • 3h ago

How-To
Sometimes We Make Mistakes (Meta’s Cost $80 Billion)
Medium Programming • 3h ago

How-To
Gate.io vs KuCoin — Which Crypto Exchange Is Better? (2026)
Dev.to Beginners • 4h ago

How-To
How to Build a Real Multi-Agent Engineering Workflow With oh-my-claudecode
Medium Programming • 5h ago