Published by SendWaveHub · NPM Safety Guard v1.12.0
The Attack
In April 2025, security researchers discovered that axios 1.14.1 — a package with hundreds of millions of downloads — had been briefly replaced on npm with a version containing a Remote Access Trojan (RAT) attributed to DPRK-linked threat actors (the Lazarus Group).
The malicious version was live for a short window. Developers who ran npm install during that window pulled down a backdoor that connected to attacker-controlled infrastructure.
This isn't an edge case. It's the same pattern used in the event-stream attack (2018), ua-parser-js (2021), and dozens of others. Supply chain attacks now account for a significant share of real-world breaches — and they bypass most traditional security tools because the package itself is the attack vector.
The Problem with Existing Tooling
npm audit only catches known CVEs — it doesn't flag malicious payloads injected into legitimate packages. By the time a CVE is filed, the damage may already be done.
OSV.dev, Snyk, and similar tools are excellent at CVE tracking, but they rely on a package being reported and catalogued. A supply chain attack that's live for 48 hours may never make it into those databases in time to protect you.
What NPM Safety Guard Does Differently
NPM Safety Guard is a free VS Code extension that runs 13 detection layers directly in your editor, before npm install even runs.
For the Axios DPRK RAT specifically, it:
-
Matches against a curated malicious-package database — the bundled DB includes
axios@1.14.1, flagged as CRITICAL with the exact version and attack description - Pulls a live remote feed — updated independently of extension releases, so new attacks light up within hours of discovery
- Checks OSV.dev in real time — CVEs filed against your installed versions are flagged inline
-
Audits install hooks —
preinstall/postinstall/preparescripts are flagged before they run, since they're the #1 supply-chain execution vector
Here's what it looks like when axios@1.14.1 appears in your package.json:
🔴 CRITICAL — DPRK RAT (Lazarus Group) — axios@1.14.1
This version was replaced with a Remote Access Trojan.
Safe version: 1.7.9
npm install axios@1.7.9
The warning appears inline, in the Problems panel, and in a full Security Report — all before you've run a single npm command.
The Other 12 Detection Layers
Catching known-malicious packages is the floor, not the ceiling. NPM Safety Guard also detects:
| Layer | What it catches |
|---|---|
| Typosquatting |
lодash (Cyrillic о), expres — packages designed to look like legitimate ones |
| Dependency confusion | Scoped packages (@company/pkg) that have been planted on public npm |
| Overrides/resolutions poisoning | Teams pin versions to fix a transitive CVE, accidentally pinning to a vulnerable version |
| Phantom dependencies | Packages your code imports but aren't in package.json — fail silently in clean installs |
| Unmaintained packages | Last release >24 months ago → accumulating unpatched CVEs |
| Deprecated packages | npm-deprecated packages with auto-upgrade suggestions |
| Install script audit | Every preinstall/postinstall hook flagged with package context |
| OSSF Scorecard | Security hygiene scores from the OpenSSF for each dependency |
| Socket.dev integration | Supply chain risk scores (requires token) |
| License compliance | GPL/AGPL in commercial projects |
| ReversingLabs | Real-time CVE + malware detection (requires free token) |
| Lockfile scan | Full resolved dependency tree, not just direct deps |
Install It Free
The extension is free, open source (MIT), and available on:
- VS Code Marketplace
- Open VSX (for VSCodium users)
ext install Sendwavehubtech.npm-safety-guard
No API key required for the core features. The malware DB and OSV.dev integration work out of the box.
Why This Matters Now
The Axios attack was caught relatively quickly — but only because it targeted a high-profile package with many eyes on it. The next attack will target a smaller package, with fewer watchers, and stay live longer.
Your best defense is catching the package before it's installed — at the point where you're editing package.json in your editor.
That's exactly what NPM Safety Guard is built for.
Built by SendWaveHub. If this saves your project, consider sponsoring the work.
Tags: security npm javascript devsecops supplychain
Top comments (0)