Julian Oliver15h ago

NodeJS, for all the brilliant projects out there leaning on it, has a supply chain that might as well run the length of a dark alley permanently at 2am in the club district.

https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

Anyway, hope none of you good people are affected by this latest pox

#infosec #sysadmin

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

Axios 1.14.1 and 0.30.4 injected malicious [email protected] after npm compromise on March 31, 2026, deploying cross-platform RAT malware.

The Hacker News
Show threadDźwiedziu

@JulianOliver
Because this happens periodically I don't want to run Node projects without strict isolation, or not use them, like node-red.

@aral

6:36amFedilab
Show thread󠀁󠁔󠁨󠁥󠀠󠁭󠁯󠁳󠁴󠀠󠁡tecteun14h ago
@dzwiedziu @JulianOliver @aral in my book, using axios is also a big indicator of incompetence.. Ffs its a library to async http requests!
Show threadJulian Oliver14h ago
@dzwiedziu @aral And fair enough. Any NodeJS projects I deploy are in tightly isolated VM jails & run depriv'd. But yes, while I would rather not touch it altogether, some fine projects are built atop it. Cryptpad and Peertube come immediately to mind.