“Two malicious versions of axios were published to npm, downloaded over 80,000 times before being pulled, installing a remote access trojan on every host.”
The most popular HTTP library in the JavaScript ecosystem, supply-chain attacked by someone who got hold of a maintainer credential. 80,000 hosts pulled the trojan in the first day. There is no fixing this category of attack. The npm ecosystem is one stolen API token away from owning a meaningful chunk of the web’s infrastructure on any given Tuesday.