Alea
Back to Podcast Digest
TBPN··22m

The Axios Supply Chain Attack Explained

Watch on YouTube →

TL;DR

  • Axios got turned into malware at massive scale — TBPN says the compromised npm package sits under “almost every app on your phone and every website you visit,” with figures cited from 100 million to 300 million weekly downloads and 173,000 dependent packages.

  • The attacker didn’t change Axios’s core code — they poisoned the release pipeline — after stealing a lead maintainer’s npm credentials, they swapped the email to a Proton account and slipped in a fake dependency, plain-cryptojs, that acted as an obfuscated dropper for Windows, Mac, and Linux.

  • The practical advice was blunt: pin Axios to 1.14.0, audit lockfiles, and rotate secrets — Feross and Socket Security’s guidance, echoed on the show, was to avoid upgrading, inspect installs immediately, and assume any machine that pulled the bad version may have leaked passwords, API keys, or SSH tokens.

  • Karpathy’s near-miss highlights the real problem: unpinned dependencies spread attacks randomly at scale — he found Axios in a Google Workspace CLI experiment, but happened to resolve to the safe 1.13.5 version, which he used to argue package manager defaults in npm and pip need to change.

  • TBPN thinks AI coding will trigger more security tooling, not less — the hosts debate whether incidents like this slow “vibe coding,” but land on the idea that AI code generation will be paired with AI review, citing Cognition’s Devin Review catching the Axios attack for customers within an hour.

  • The second story was Anthropic accidentally leaking Claude Code via an npm source map — the hosts treat it as embarrassing but survivable, noting the leak exposed roadmap details and internal jokes more than existential secrets, while also showing how anything published to npm gets downloaded almost instantly.

The Breakdown

A slow AI news week turns into hack week

The hosts open by joking that spring break has frozen big-tech launches — executives are supposedly off with their kids, so the usual AI product cycle is quiet. In that vacuum, the show shifts hard into “a ton of crazy hacks,” with Axios becoming the main event.

The Axios supply-chain attack is the big one

TBPN frames Axios as one of npm’s most depended-on packages, the boring HTTP helper that quietly powers apps and websites everywhere. Their warning is not subtle: if you installed the poisoned version, “freak out,” because this wasn’t a glitch — it was malware that could steal API keys, SSH keys, and potentially escape local dev environments.

How the malware actually got in

Pulling from Feross at Socket Security and a longer summary from Anish, they explain that attackers stole a lead developer’s npm login, changed the account email to a Proton Mail address, and hand-published malicious versions. The clever part is they never altered Axios itself; instead they smuggled in a fake package, plain-cryptojs, dressed up like a trusted library, then used it to drop payloads, run shell commands, and erase evidence after execution.

Six minutes is fast — and maybe still catastrophically slow

Socket reportedly caught the package in about six minutes, but the hosts keep circling the same uneasy question: with 100 million-plus weekly downloads, how many machines got hit in that window? They point out that discovery time and rollback time are different things, and that the actual blast radius depends on how long npm kept serving the bad package after it was flagged.

Karpathy’s close call and the case against unpinned deps

Andrej Karpathy says he scanned his own system and found Axios pulled in through a Google Workspace CLI experiment, but luck saved him because it resolved to the older safe version, 1.13.5. His takeaway becomes the show’s broader point: users can defend themselves with containers and release-age constraints, but package managers like npm and pip need saner defaults so one temporary compromise doesn’t randomly infect the world.

Why the hosts think AI coding means more AI security

Scott Wu says Devin Review caught the Axios attack for Cognition customers before the public news broke, and TBPN uses that to argue these incidents will be “10x more frequent in the age of AI.” Rather than killing vibe coding, they think it will create demand for more automated code review, more cyber products, and more agents checking other agents’ work.

Then came the Claude Code source leak

The second half moves to Anthropic, where a production build of Claude Code reportedly generated a source map and published it to npm, effectively exposing the codebase. The hosts compare it to accidentally posting your blueprint online, then immediately note that npm moves so fast that even a one-minute mistake is enough for someone to grab, zip, and spread it on X.

Embarrassing for Anthropic, but probably not fatal

TBPN treats the Claude Code leak as messy and brand-damaging more than business-ending, especially since competitors already build on open and semi-open harnesses like Codex. The real sting, they joke, is that the leak spoiled roadmap details and even internal April Fools plans — the kind of silly human detail that makes the whole thing feel less like abstract infosec and more like a very public bad day.