logoalt Hacker News

Axios compromised on NPM – Malicious versions drop remote access trojan

1742 pointsby mtudtoday at 2:54 AM706 commentsview on HN

Comments

aa-jvtoday at 7:01 AM

I have a few projects which rely on npm (and react) and every few months I have to revisit them to do an update and make sure they still build, and I am basically done with npm and the entire ecosystem at this point.

Sure, its convenient to have so much code to use for basic functionality - but the technical debt of having to maintain these projects is just too damn high.

At this point I think that, if I am forced to use javascript or node for a project, I reconsider involvement in that project. Its ecosystem is just so bonkers I can't justify the effort much longer.

There has to be some kind of "code-review-as-a-service" that can be turned on here to catch these things. Its just so unproductive, every single time.

shevy-javatoday at 6:02 AM

NPM gets worse than russian roulette. Perhaps we have to rename russian roulette to node roulette: noulette.

ArtinOrtoday at 10:09 AM

Reset the clock

tonymettoday at 3:41 AM

Has anyone tested general purpose malware detection on supply chains ? Like clamscan . I tried to test the LiteLLM hack but the affected packages had been pulled. Windows Defender AV has an inference based detector that may work when signatures have not yet been published

show 3 replies
TZubiritoday at 12:34 PM

I've been saying for ages, use xmlhttprequest, or hell, even fetch().

Stop downloading code from the internet unless it's a major strategic decision.

Imustaskforhelptoday at 8:59 AM

If someone from github is reading this, https://github.com/axios/axios/issues/10604#issuecomment-416...

I think that jason might like if someone from github team can contact them as soon as possible.

(8 minutes ago at the time of writing)

kush3434today at 10:44 AM

first day at hacker news and this is the first post i saw

esttoday at 9:05 AM

compiled JS solves a problem that no longer exists. IE6 is dead RIP.

Now we have a 20MB main.min.js problem

charcircuittoday at 7:39 AM

Hopefully desktop Linux users will start to understand that malware actually does exist for Linux and that their operating system is doing nothing to protect them from getting RATed.

show 1 reply
0x1ceb00datoday at 4:14 AM

Coded has zero nom dependencies. Neat!

cgrfrog2026today at 10:23 PM

[dead]

jijjitoday at 3:01 PM

another week another npm supply chain attack

imta71770today at 9:32 PM

[dead]

xysttoday at 6:01 PM

yet another npm supply chain attack, these are becoming as ubiquitous as gun violence in the US.

We have become numb to it.

One of my tools, bruno, was impacted but seems to be limited to cli via npm install [1]

[1] https://github.com/usebruno/bruno/security/advisories/GHSA-6...

Mooshuxtoday at 9:38 PM

[dead]

jeremie_strandtoday at 7:59 PM

[dead]

jeremie_strandtoday at 7:02 PM

[dead]

carlbarrdahltoday at 3:16 PM

[dead]

pjouberttoday at 7:09 PM

[flagged]

bustahtoday at 1:48 PM

[dead]

getverdicttoday at 8:07 AM

[dead]

tomjwxftoday at 8:24 AM

[dead]

antonio0720today at 2:18 PM

[dead]

wei03288today at 7:57 AM

[dead]

SophieVeldmantoday at 10:38 AM

[dead]

firekey_browsertoday at 6:34 AM

[dead]

tmatsuzakitoday at 1:48 PM

[dead]

Serhii-Settoday at 4:54 PM

[dead]

lucasaytoday at 7:54 AM

[dead]

nadav_taltoday at 2:55 PM

[flagged]

pasanhktoday at 6:00 AM

[flagged]

franciscoptoday at 4:31 AM

[flagged]

show 1 reply
noritaka88today at 1:04 PM

[flagged]

show 1 reply
k4binSecuritytoday at 5:29 AM

[flagged]

imrozimtoday at 4:10 AM

[flagged]

show 1 reply
ohsecuritytoday at 2:48 PM

[flagged]

show 2 replies
slopinthebagtoday at 3:33 AM

It's reasons like this why I refuse to download Node or use anything NPM. Thankfully other languages are better anyways.

show 3 replies