Kyro38Apr 3

Post Mortem: axios NPM supply chain compromise

https://github.com/axios/axios/issues/10636

Post Mortem: axios npm supply chain compromise · Issue #10636 · axios/axios

Post Mortem: axios npm supply chain compromise Date: March 31, 2026 Author: Jason Saayman Status: Remediation in progress On March 31, 2026, two malicious versions of axios (1.14.1 and 0.30.4) were...

GitHub
Show threadfraywingApr 3

Incredible uptick in supply chain attacks over the last few weeks.

I feel like npm specifically needs to up their game on SA of malicious code embedded in public projects.

Show threadipnon
NPM is designed to let you run untrusted code on your machine. It will never work. There is no game to step up. It's like asking an ostrich to start flying.
Apr 3 at 2:07amWeb
Show threaddcrazyApr 3
It’s far from a complete solution, but to mitigate this specific avenue of supply chain compromise, couldn’t Github/npm issue single-purpose physical hardware tokens and allow projects (or even mandate, for the most popular ones) maintainers use these hardware tokens as a form of 2FA?