raptor 19h ago
Simon Willison
Warning to open source maintainers: the Axios supply chain attack started with some
very sophisticated social engineering targeted at one of their developers https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/
The Axios supply chain attack used individually targeted social engineering

The Axios team have published a full postmortem on the supply chain attack which resulted in a malware dependency going out in a release the other day, and it involved …

Simon Willison’s Weblog
Apr 3 at 2:55pmWeb
Show threadStephen Bannasch (316 ppm)21h ago

@simon

Also this whole thread by Axios developers is very detailed and quite interesting: https://github.com/axios/axios/issues/10636

#axios

Post Mortem: axios npm supply chain compromise · Issue #10636 · axios/axios

Post Mortem: axios npm supply chain compromise Date: March 31, 2026 Author: Jason Saayman Status: Remediation in progress On March 31, 2026, two malicious versions of axios (1.14.1 and 0.30.4) were...

GitHub
Show threadcodingjoe  20h ago
@simon we live in a crazy timeline. Frist, xz, now this. Makes you wonder how many haven't been discovered. I'd certainly fall for it myself.
Show threadOlivier Forget20h ago
@simon With the web tech we have available it's a shame people have to install stuff just to join a meeting.
Show threadSam19h ago
@teleclimber @simon yes but i think in part it's not tech but the context. if you were offered a chance at a dream job or whatever, you might overlook some inconvenience (joining a call using unsafe software) in order to participate. with ai i think it's easier to mimic the context.
Show threadErik van Straten19h ago

@simon : This may be a very effective scam, but it is not sophisticated - it is "good old" social engineering. No excuses.

Do not update or install software by clicking on something that pops up telling you to do so. Visit the manufacturer's website instead.

If your "bank" calls you and tells you that your savings will get stolen if you don't do immediately and exactly do as they say: hang up. Call your bank on their well known phone number and ask what is going on.

Don't just trust anyone or anything out of the blue. It's way too easy to spoof identities online. Take back control.

@0f4d0335 @teleclimber

#Phishing #Spoofing #Malware #RAT

Show threadGhostOnTheHalfShell18h ago

@simon

If you’ve heard about the elements of Claude source code incorporating addictive gaming design and sycophancy, it makes the situation even worse for any contributors who are playing around with the technology. At the very least it’s risk factor.

Show threadjlapoutre14h ago

RE: https://fedi.simonwillison.net/@simon/116341351192013388

@simon Broken record here: Why use axios? We have fetch. For 10+ years (or slightly less, too lazy to check my own facts).

Show threadwaldi7h ago
@simon You had me at “I installed something”. Sorry, this is not sophisticated, but basic screw up.
Show threadHella7h ago

@waldi @simon

The sophistication is in the produced social situation, not the technical detail.