Jason Saayman hit by network compromise
Incident
Summary
Hide ▲
Show ▼
The Axios npm package was compromised after maintainer Jason Saayman's npm account was taken over, and malicious versions were published to the registry. The release created a supply-chain risk for a package with 100M+ weekly downloads and potential downstream impact across Linux, Windows, and macOS environments. The malicious update path used an install-time dependency and post-install script to fetch payloads from a C2 server and deploy a remote access trojan. Users were advised to pin to the last known clean releases, [email protected] and [email protected].
Related Happenings
Laravel Lang organization hit by network compromise
Incident
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang organization hit by network compromise
IncidentAbout this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
TanStack hit by network compromise
Incident
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
**TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
TanStack hit by network compromise
IncidentAbout this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
Latest development: 21.05.2026 11:00
On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Campaign
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
CampaignAbout this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Latest development: 21.05.2026 11:00
Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.
Timeline
-
01.04.2026 12:00 1 articles · 1mo ago
GTIG attributes Axios compromise to UNC1069
Attribution UpdateGoogle Threat Intelligence Group attributed the Axios npm supply-chain compromise to UNC1069, citing the use of WAVESHAPER.V2 and describing the actor as financially motivated and North Korea-nexus. GTIG also warned that malicious axios releases v1.14.1 and v0.30.4, delivered through Jason Saayman’s compromised account and plain-crypto-js, could have a broad blast radius across dependent packages and developer environments.
Show sources
- Hackers Hijack Axios npm Package to Spread RATs — www.infosecurity-magazine.com — 01.04.2026 12:00
-
31.03.2026 16:53 1 articles · 1mo ago
Jason Saayman hit by network compromise
Initial DisclosureThe first phase was the publication of **[email protected]** and **[email protected]** after the maintainer's **npm account** was compromised. Those releases inserted an install-time dependency that served as the initial delivery path for the malware.
Show sources
- Hackers compromise Axios npm package to drop cross-platform malware — www.bleepingcomputer.com — 31.03.2026 16:53