Trusted Source
A few days ago, axios was poisoned. The HTTP client with 70 million weekly downloads. A North Korean attack group reached the maintainer through Telegram, gained his trust with a deepfake video of a cryptocurrency company CEO, got him to run a trojan, and seized his npm account. The malicious versions were live for about three hours. In those three hours, a RAT was distributed to dev machines worldwide.
This wasn't the first time npm's supply chain broke.
In 2016, a package called left-pad disappeared. Eleven lines of code. The author, angry over a dispute with npm Inc., pulled all his packages. A function that did nothing but pad the left side of a string with spaces. Babel depended on it. React depended on Babel. Countless projects depended on React. It wasn't even an attack. One developer took his code and went home.
In 2018, the maintainer of event-stream burned out. Someone showed up offering to take over. The maintainer happily handed over publish access. Months later, code to steal Bitcoin wallet private keys had been quietly injected.
npm supply chain incidents have kept happening since. From the outside: account takeovers distributing malware. From the inside: maintainers, exhausted by unpaid labor, destroying their own packages in protest. The threats are nothing alike, but the underlying structure is the same. Tens of millions of projects depend on packages maintained by individuals. If that individual gets deceived or gets angry, the poison reaches every leaf of the dependency tree.
I'm not here to bash npm's dependency culture. Sharing small functions through packages is rational, and the productivity it enables doesn't exist without this structure. But no developer reads everything inside node_modules. Every time we run npm install, we're trusting strangers.
What was new about the axios incident was the deepfake. Back in the event-stream days, pretending to be a good person was enough. Eight years later, attackers forged a real person's likeness with AI and targeted a single maintainer with the backing of a nation-state. The cost of forging trust is dropping fast.