Tag

npm Security

npm remains one of the highest-leverage attack surfaces in modern software delivery: a single compromised package can reach millions of installs through caret ranges and transitive dependencies. These articles examine npm-specific supply chain tradecraft — maintainer account takeover, malicious postinstall hooks, typosquatted helper packages, and worm-style propagation — with deep coverage of the axios compromise and related TeamPCP activity across the JavaScript ecosystem. The focus is practical for AppSec and platform teams: how to detect poisoned releases quickly, contain exposure in CI and developer workstations, rotate credentials with confidence, and harden install-time controls without slowing delivery. Use this tag to follow npm incident response guidance grounded in real campaigns rather than generic dependency hygiene checklists.

1 article

16 min read

Axios Supply Chain Attack Explained: npm's Most Popular HTTP Client Compromised with Cross-Platform RAT

On March 31, 2026, an attacker hijacked the lead axios maintainer's npm account and published two malicious versions — axios@1.14.1 and axios@0.30.4 — injecting a cross-platform remote access trojan via a fake dependency. Here is the full timeline, technical analysis, IOCs, and what to do if you are affected.

Ready to try autonomous pentesting?

See how Revaizor can transform your security testing.

Request Early Access