Last week, the popular axios library was compromised. A maintainer’s npm account was stolen, and two malicious versions were published for a few hours. Anyone who ran npm install during that window automatically pulled in malware that stole credentials and keys.
Why did so many people get hit? Because most dependencies are written with a caret:
"axios": "^1.14.0"
That caret means “get the latest minor or patch version.” When the malicious 1.14.1 came out, every npm install grabbed it without asking.
The fix is simple: pin exact versions.
"axios": "1.14.0"
Now your project never upgrades unless you manually change the number.
What about package-lock.json? A lock file records what was installed at a specific time. If yours was created before the attack, you were safe. But if you regenerated it during the attack window, it would have locked in the bad version. So a lock file helps, but it’s not a substitute for pinning.
When you do upgrade:
- Wait a few days after a new release.
- Check GitHub issues and advisories.
- Use npm audit before updating.
One more thing: AI assistants often suggest npm install commands without knowing about today’s security incidents. Take a second to verify the version you’re about to install.
Pin exact versions. Upgrade deliberately. It’s a small habit that stops attacks like this.
Top comments (0)