The Hidden Blast Radius of the Axios Compromise
Contents
Security News
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.
April 1, 2026
13 min read
Yesterday, we reported on a supply chain attack targeting Axios that introduced a malicious dependency (plain-crypto-js
) into specific npm releases.
At first glance, the scope seemed contained:
Over the past 24 hours, we’re seeing many teams focus on checking their lockfiles and node_modules
directories, but that only captures part of the picture, especially when tools are executed dynamically via npx
.
During the exposure window, widely used tools, including CI systems, developer CLIs, build tools like Nx, and even MCP servers, could resolve the compromised version through normal dependency ranges, often without explicitly depending on Axios at all.
This incident is one of the clearest examples of dynamics that …
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.
April 1, 2026
13 min read
Yesterday, we reported on a supply chain attack targeting Axios that introduced a malicious dependency (plain-crypto-js
) into specific npm releases.
At first glance, the scope seemed contained:
Over the past 24 hours, we’re seeing many teams focus on checking their lockfiles and node_modules
directories, but that only captures part of the picture, especially when tools are executed dynamically via npx
.
During the exposure window, widely used tools, including CI systems, developer CLIs, build tools like Nx, and even MCP servers, could resolve the compromised version through normal dependency ranges, often without explicitly depending on Axios at all.
This incident is one of the clearest examples of dynamics that …