Jason Saayman hit by network compromise
Incident
Summary
Hide ▲
Show ▼
The Axios npm package was compromised after maintainer Jason Saayman's npm account was taken over, and malicious versions were published to the registry. The release created a supply-chain risk for a package with 100M+ weekly downloads and potential downstream impact across Linux, Windows, and macOS environments. The malicious update path used an install-time dependency and post-install script to fetch payloads from a C2 server and deploy a remote access trojan. Users were advised to pin to the last known clean releases, [email protected] and [email protected].
Related Happenings
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
Malware-Slop malicious npm file-theft campaign
Campaign
H score39
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
**Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...
Laravel Lang organization hit by network compromise
Incident
H score14
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang organization hit by network compromise
IncidentAbout this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Timeline
-
01.04.2026 12:00 1 articles · 3mo ago
GTIG attributes Axios compromise to UNC1069
Attribution UpdateGoogle Threat Intelligence Group attributed the Axios npm supply-chain compromise to UNC1069, citing the use of WAVESHAPER.V2 and describing the actor as financially motivated and North Korea-nexus. GTIG also warned that malicious axios releases v1.14.1 and v0.30.4, delivered through Jason Saayman’s compromised account and plain-crypto-js, could have a broad blast radius across dependent packages and developer environments.
Show sources
- Hackers Hijack Axios npm Package to Spread RATs — www.infosecurity-magazine.com — 01.04.2026 12:00
-
31.03.2026 16:53 1 articles · 3mo ago
Jason Saayman hit by network compromise
Initial DisclosureThe first phase was the publication of **[email protected]** and **[email protected]** after the maintainer's **npm account** was compromised. Those releases inserted an install-time dependency that served as the initial delivery path for the malware.
Show sources
- Hackers compromise Axios npm package to drop cross-platform malware — www.bleepingcomputer.com — 31.03.2026 16:53