Seventy Million Downloads and One Password
Arlo Gilbert ·
Somebody logged into an npm account last week. They published two package updates. The whole thing took 39 minutes.
Those two packages were new versions of Axios, the JavaScript HTTP client installed in roughly 70 million projects every week. Both versions contained a remote access trojan. If your project auto-updated (and most do), you had a North Korean backdoor on your machine before lunch.
Microsoft attributed the attack to Sapphire Sleet. Google's Threat Intelligence team pinned it on UNC1069. The names differ. The conclusion doesn't: a nation-state compromised one of the most foundational packages in the JavaScript ecosystem through a single hijacked maintainer account.
Not a zero-day. Not a sophisticated exploit chain. One password.
The point of this story isn't that npm got hacked. People in security have been warning about supply chain risk for years. The point is what it reveals about the trust model underneath every piece of software we're building right now. That model is about to get a lot more fragile.
The trust you didn't know you were extending
Every modern software project is a dependency tree. Your code sits on top. Underneath are hundreds, sometimes thousands, of packages you didn't write, don't audit, and update automatically. The entire system runs on trust. You trust that the maintainer of a package with 70 million weekly downloads has good security hygiene. You trust that npm catches compromised publishes. You trust the community would notice something malicious before it spreads.
All three assumptions failed last week. The maintainer's account was hijacked. npm didn't flag the publishes. The malicious versions were live and installing before anyone caught it.
And Axios isn't some niche library. It's closer to plumbing. It's in dashboards, APIs, CI/CD pipelines, developer tools, internal platforms. It's in the AI applications your team shipped last quarter. It's the HTTP layer that your LLM orchestration framework uses to call the model. When you compromise Axios, you don't just hit one project. You hit the substrate.
Three in one week
The Axios compromise didn't happen in isolation. The same week, two other AI-adjacent supply chain attacks surfaced.
On March 24, compromised versions of LiteLLM (a popular library for routing calls to multiple LLM providers) appeared on PyPI. The attacker bypassed the project's CI/CD pipeline entirely and uploaded malicious packages straight to the registry. They were live for about 40 minutes before PyPI quarantined them.
Meanwhile, CISA added a critical Langflow vulnerability to its Known Exploited Vulnerabilities catalog with a deadline of April 8 for federal agencies to patch or stop using the product. Langflow is a visual framework for building AI agent workflows. The flaw lets an attacker execute arbitrary Python code with a single crafted HTTP request. Attackers started exploiting it within 20 hours of the advisory. No proof-of-concept code existed yet. They built their exploits directly from the advisory itself.
Three tools. Three attack vectors. All targeting the infrastructure that developers use to build and deploy AI systems. None of them required anything exotic. A hijacked account. A direct upload. A missing input check.
Why this gets worse from here
I spend a lot of time thinking about dependency surfaces because we build AI products at Osano. A typical AI application has a bigger dependency tree than a traditional web app. You've got an LLM client library, a vector database connector, an embedding library, a retrieval pipeline, a tool-calling framework, and the HTTP clients tying it all together. Each one has its own dependency tree. The combinatorial surface is significant.
But that's the easy part. The hard part is that agentic AI systems don't just consume dependencies at build time. Some install packages at runtime. They evaluate code. They call tools. They make decisions about what to fetch and execute based on context that can be influenced by external input. The attack surface isn't fixed anymore. It shifts every time the agent runs.
We're giving AI systems more autonomy, more access to production environments, and more trust. The security model we're relying on (lock files, version pinning, the occasional audit) was built for a world where a human reviewed every dependency change. That world is shrinking.
It's not that the old model was ever great. The Axios attack proves it wasn't. But at least it was a known quantity. A compromised package had to survive human review, human testing, and human deployment before it reached production. Now imagine a coding agent that reads a README, installs a dependency, writes an integration, and ships it to staging. All before a human sees any of it. The 39-minute window from the Axios attack starts to look generous by comparison.
Thirty-nine minutes
A nation-state logged into one npm account. Published two packages. Walked away.
That's all it takes when the system runs on trust nobody verifies.