A long-lived NPM access token was used to bypass the GitHub Actions OIDC-based CI/CD publishing workflow and push backdoored package versions. Malicious versions of the highly popular Axios NPM ...

On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP requests to a REST endpoint with over 70 million weekly ...

A widely used JavaScript package used with over a hundred million weekly downloads has been compromised in a new supply chain attack to fetch a malware payload for Windows, Linux systems and macOS ...

The Axios JavaScript NPM package was recently compromised, representing one of the highest impact supply chain attacks against the open source development ecosystem in recent months. Axios is the most ...

Axios, a hugely popular JavaScript library with 100 million weekly downloads, has been hit by a critical supply chain attack. In a recurring open-source security crisis, developers unknowingly pulled ...

In December 2025, in response to the Sha1-Hulud incident, npm completed a major authentication overhaul intended to reduce supply-chain attacks. While the overhaul is a solid step forward, the changes ...

NPM, the Node Package Manager, hosts millions of packages and serves billions of downloads annually. It has served well over the years but has its shortcomings, including with TypeScript build ...

A spate of supply chain attacks forces GitHub’s npm to revoke ‘classic’ tokens. Despite this, larger worries about developer account security remain. GitHub has this week implemented the final part of ...

Threat actors have successfully weaponized Zapier’s compromised NPM account to unleash a digital weapon that’s creating chaos across the entire open-source ecosystem. This isn’t your typical data ...

The new self-replicating worm iteration has destructive capabilities, erasing home directory contents if it cannot spread to more repositories. Approximately 640 NPM packages have been infected with a ...

Threat actors are finding new ways to insert invisible code or links into open source code to evade detection of software supply chain attacks. The latest example was found by researchers at ...