Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A hacker has hijacked and modified a popular open source software development tool to deliver malware that could put millions of developers at risk of exposure.
On Monday, a hacker deployed malicious versions of a widely used JavaScript library called Axios, which developers rely on to allow their programs to connect to the Internet. The library was damaged Hosted on npma software repository that stores code for open source projects. Axios is loaded Tens of millions of times Every week.
The kidnapping was spotted and stopped within about three hours overnight from Monday to Tuesday, according to security company StepSecurity. Who analyzed the attack.
Hackers are increasingly targeting developers of popular open source projects in an attempt to mass compromise anyone relying on compromised code, potentially giving hackers access to large numbers of affected devices. These types of violations are called large-scale violations Supply chain attacks Because they target software that allows hackers to hack anyone who has downloaded the compromised software. In recent years, hackers have targeted companies such as 3CX, cashierand SolarWindsIn addition to open source tools such as Log4j and Polyfill.ioTo target large numbers of its users.
It is not clear at this point how many people downloaded the malicious version of Axios during that time period. Security company Aikido, which The incident was also investigatedAnyone who downloaded the code “should assume their system is compromised,” he said.
Contact us
Do you have more information about this hack? Or other attacks on the supply chain? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, via Telegram, Keybase, Wire @lorenzofb, or By email.
The hacker was able to insert malicious code into Axios by hacking into the account of one of the project’s core developers, who was authorized to publish updates. The hacker has replaced the legitimate developer’s email address on the account with his own, making it more difficult for the developer to regain access.
Once the account was taken over, the hacker inserted malicious code designed to deliver a remote access Trojan, or RAT — essentially malware that can give hackers complete remote control of a victim’s computer. The hacker then released new versions of Axios in a legitimate-looking update for Windows, macOS, and Linux users.
TechCrunch event
San Francisco, California
|
October 13-15, 2026
The hackers also designed the malware, as well as some of the code used to deliver it, to automatically delete itself after installation in an attempt to hide from anti-malware engines and investigators, according to security researchers.