Attackers compromised the npm account of the lead maintainer of Axios, a widely used JavaScript HTTP client library, and used it to publish malicious versions of the package that deployed a cross-platform remote access trojan on developer machines. The incident represents the highest-impact npm supply chain attack on record given Axios’ approximately 100 million weekly downloads and its presence in frontend frameworks, backend services, and countless enterprise applications. Luckily the trojanized versions, [email protected] and [email protected], were detected by multiple security companies monitoring the npm registry within minutes of publication, triggering a rapid response that saw the malicious p...