I just came across a serious supply chain security incident where the JavaScript HTTP client library axios, one of the most commonly used, was attacked.

Here's what happened: the attacker stole the npm access token of axios's lead maintainer and directly published two malicious versions containing remote access trojans, specifically axios@1.14.1 and axios@0.3.4, which could run on macOS, Windows, and Linux. These malicious packages remained on npm for about 3 hours before being discovered and removed.

The most alarming part is the scope of the impact. axios has over 100 million downloads per week. According to security firm Wiz, approximately 80% of cloud environments and codebases contain axios. Huntress, a security company, responded quickly; they detected the first infections within less than 2 minutes of the malicious packages going live, confirming at least 135 systems had been compromised.

Even more concerning is that the axios project had already implemented modern security measures, including OIDC trusted publishing mechanisms and SLSA provenance proofs, but the attacker completely bypassed them. Investigations revealed the issue was due to misconfiguration: while enabling OIDC, axios still retained the traditional long-lived NPM_TOKEN, and npm prioritized using the legacy token when both were present. This gave attackers an opportunity.

This incident reminds us that having security tools alone isn't enough; proper configuration and process management are equally critical. Many open-source projects may face similar vulnerabilities.