Find notable cyber news and cases, enriched with sources, timelines, and signals.

Axios JavaScript NPM package hit by network compromise

Incident
First reported
Last updated
Happening score
H score 60
2 unique sources, 2 articles

Summary

Hide ▲

Axios suffered a supply-chain compromise after malicious versions were published to NPM, creating a high-risk exposure for developers and downstream consumers. The malicious releases were active for around three hours, and one embedded dependency could deliver a RAT across Windows, Linux, and Mac. The incident matters because Axios is downloaded more than 400 million times per month, so even a short window could affect a very large ecosystem.

Related Happenings

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Inactive maintainer account 'atiertant' hit by network compromise

Incident
H score13 First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...

TanStack hit by network compromise

Incident
H score29 First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...

Latest development: 21.05.2026 11:00

On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.

Timeline

  1. 13.04.2026 20:39 1 articles · 2mo ago

    OpenAI rotates macOS code-signing certificates after Axios compromise

    Mitigation Patch Update

    OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed compromised Axios version 1.14.1 during the March 31, 2026 supply chain attack. The certificate was used to sign OpenAI macOS apps including ChatGPT Desktop, Codex, Codex CLI, and Atlas, and macOS users must update to versions signed with the new certificate before the old certificate is fully revoked on May 8, 2026.

    Show sources
  2. 30.03.2026 03:00 1 articles · 3mo ago

    Axios NPM compromise disclosed

    Initial Disclosure

    StepSecurity identified two malicious Axios NPM releases, [email protected] and [email protected], after the maintainer account "jasonsaayman" was compromised; the releases introduced plain-crypto-js, which impersonated crypto-js and executed a script that installed a cross-platform RAT, and NPM later removed the campaign while defenders were urged to verify dependencies and check indicators of compromise.

    Show sources