19 Npm Packages Compromised In Major Supply Chain Attack Ox Security When developers or ci systems ran npm install, those scripts pulled in and executed a hidden payload. that payload stole secrets and used them to compromise even more repositories and. On march 31, 2026, two malicious versions of axios, the enormously popular javascript http client with over 100 million weekly downloads, were briefly published to npm via a compromised maintainer account. the packages contained a hidden dependency that deployed a cross platform remote access trojan (rat) to any machine that ran npm install (or equivalent in other package managers like bun.
Npm Hack Shows Supply Chain Threats Still Endanger Crypto #cybersecurity #npm #opensourcea recent supply chain attack involving axios exposed a critical weakness in how modern javascript applications manage dependen. During that window, anyone who ran npm install axios could have had a remote access trojan (rat) dropped silently on their machine or ci runner, with no errors and no warnings. this post breaks down what happened, how the attack worked, and the exact commands to check if you were affected. The axios team suggests developers check for compromised dependency versions on their systems. many other packages depend on it and could have unknowingly pulled the malware during a routine npm install or update command. A sophisticated supply chain attack campaign dubbed "shai hulud v2" has compromised hundreds of packages within the npm ecosystem and has now spilled over into java maven artifacts.
Hundreds Of Npm Packages Hit In Ongoing Attack Cybernews The axios team suggests developers check for compromised dependency versions on their systems. many other packages depend on it and could have unknowingly pulled the malware during a routine npm install or update command. A sophisticated supply chain attack campaign dubbed "shai hulud v2" has compromised hundreds of packages within the npm ecosystem and has now spilled over into java maven artifacts. If that developer's npm token gets phished, the entire tree is compromised, and millions of projects inherit the payload on their next install. glassworm exploits this reality systematically. it does not need to compromise a top level package with vigilant maintainers and automated security scans. With one phishing email, an npm package compromised gave attackers access to 18 high profile javascript libraries maintained by josh junon (npm username: qix). together, these packages account for over 2.6 billion weekly downloads. Learn how the shai hulud 2.0 worm like malware campaign compromised 492 npm packages with 132m monthly downloads, how it steals developer credentials and propagates automatically, and how to protect your projects from this sophisticated supply chain attack. On march 31, 2026, two new npm packages for updated versions of axios, a popular http client for javascript that simplifies making http requests to a rest endpoint with over 70 million weekly downloads, were identified as malicious.
Malware Found On Npm Infecting Local Package With Reverse Shell If that developer's npm token gets phished, the entire tree is compromised, and millions of projects inherit the payload on their next install. glassworm exploits this reality systematically. it does not need to compromise a top level package with vigilant maintainers and automated security scans. With one phishing email, an npm package compromised gave attackers access to 18 high profile javascript libraries maintained by josh junon (npm username: qix). together, these packages account for over 2.6 billion weekly downloads. Learn how the shai hulud 2.0 worm like malware campaign compromised 492 npm packages with 132m monthly downloads, how it steals developer credentials and propagates automatically, and how to protect your projects from this sophisticated supply chain attack. On march 31, 2026, two new npm packages for updated versions of axios, a popular http client for javascript that simplifies making http requests to a rest endpoint with over 70 million weekly downloads, were identified as malicious.
Malware Found On Npm Infecting Local Package With Reverse Shell Learn how the shai hulud 2.0 worm like malware campaign compromised 492 npm packages with 132m monthly downloads, how it steals developer credentials and propagates automatically, and how to protect your projects from this sophisticated supply chain attack. On march 31, 2026, two new npm packages for updated versions of axios, a popular http client for javascript that simplifies making http requests to a rest endpoint with over 70 million weekly downloads, were identified as malicious.
Comments are closed.