Hackers slipped a trojan into the code library behind most of the internet. Your team is probably affected

Key Points:

• Attackers stole a long-lived npm access token from axios's lead maintainer and published two malicious versions of the library that install a cross-platform remote access trojan (RAT) targeting macOS, Windows, and Linux; these versions were available on npm for about three hours before removal.
• Axios is widely used, with over 100 million weekly downloads and presence in approximately 80% of cloud and code environments, leading to at least 135 confirmed infected systems during the exposure window according to Huntress.
• Despite axios implementing modern security measures like GitHub Actions with OIDC Trusted Publisher and SLSA attestations, the attack bypassed these by exploiting a legacy long-lived npm token that npm defaults to when both token and OIDC credentials coexist.
• This incident marks the third major npm supply chain compromise in seven months, all stemming from stolen maintainer credentials, highlighting a systemic vulnerability where maintainer accounts remain the single point of failure despite downstream security improvements.
• Organizations using Node.js are advised to assess impact immediately, search for affected package versions, rebuild compromised systems, rotate credentials, block command-and-control domains, and enforce stricter CI/CD policies such as ignoring install scripts and requiring provenance verification to prevent similar attacks.