Simon Willison
Warning to open source maintainers: the Axios supply chain attack started with some
very sophisticated social engineering targeted at one of their developers https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/
The Axios supply chain attack used individually targeted social engineering

The Axios team have published a full postmortem on the supply chain attack which resulted in a malware dependency going out in a release the other day, and it involved …

Simon Willison’s Weblog
2:55pmWeb
Show threadStephen Bannasch (316 ppm)10h ago

@simon

Also this whole thread by Axios developers is very detailed and quite interesting: https://github.com/axios/axios/issues/10636

#axios

Post Mortem: axios npm supply chain compromise · Issue #10636 · axios/axios

Post Mortem: axios npm supply chain compromise Date: March 31, 2026 Author: Jason Saayman Status: Remediation in progress On March 31, 2026, two malicious versions of axios (1.14.1 and 0.30.4) were...

GitHub
Show threadcodingjoe  10h ago
@simon we live in a crazy timeline. Frist, xz, now this. Makes you wonder how many haven't been discovered. I'd certainly fall for it myself.
Show threadOlivier Forget9h ago
@simon With the web tech we have available it's a shame people have to install stuff just to join a meeting.
Show threadSam8h ago
@teleclimber @simon yes but i think in part it's not tech but the context. if you were offered a chance at a dream job or whatever, you might overlook some inconvenience (joining a call using unsafe software) in order to participate. with ai i think it's easier to mimic the context.
Show threadErik van Straten8h ago

@simon : This may be a very effective scam, but it is not sophisticated - it is "good old" social engineering. No excuses.

Do not update or install software by clicking on something that pops up telling you to do so. Visit the manufacturer's website instead.

If your "bank" calls you and tells you that your savings will get stolen if you don't do immediately and exactly do as they say: hang up. Call your bank on their well known phone number and ask what is going on.

Don't just trust anyone or anything out of the blue. It's way too easy to spoof identities online. Take back control.

@0f4d0335 @teleclimber

#Phishing #Spoofing #Malware #RAT

Show threadGhostOnTheHalfShell7h ago

@simon

If you’ve heard about the elements of Claude source code incorporating addictive gaming design and sycophancy, it makes the situation even worse for any contributors who are playing around with the technology. At the very least it’s risk factor.

Show threadjlapoutre3h ago

RE: https://fedi.simonwillison.net/@simon/116341351192013388

@simon Broken record here: Why use axios? We have fetch. For 10+ years (or slightly less, too lazy to check my own facts).