DEV Community

CyborgNinja1
CyborgNinja1

Posted on • Edited on • Originally published at shieldcortex.ai

The axios Attack Was a Wake-Up Call. Your AI Agent Just Ran npm install Without Asking You.

#ai #javascript #npm #security

The axios 1.14.1 supply chain attack hit packages with 100M+ weekly downloads. But here's what nobody's talking about — AI coding agents run npm install autonomously. No human reviews the packages. No human checks the lockfile. Your agent just trusts npm.

This isn't a hypothetical. It happened this week.

What Happened

On March 31, 2026, an attacker hijacked a lead maintainer's npm account for axios — one of the most widely used JavaScript packages in existence. They:

  1. Swapped the maintainer's email to an anonymous ProtonMail
  2. Bypassed GitHub Actions entirely
  3. Manually pushed axios@1.14.1 via the npm CLI

The malicious version injected plain-crypto-js@4.2.1 — a package that didn't exist before that day.

It's a full RAT dropper. One npm install and it:

  • Runs a postinstall script silently
  • Detects your OS (macOS, Windows, Linux)
  • Downloads a platform-specific payload
  • Executes it
  • Deletes itself after execution
  • Replaces its own package.json with a clean decoy

You check your node_modules after — everything looks normal. But the damage is already done.

Why AI Agents Make This Worse

Here's the uncomfortable truth that nobody in the AI tooling space is talking about:

AI coding agents run npm install without human review.

Claude Code, OpenAI Codex, Cursor, Windsurf — when these agents need a dependency, they install it. When they scaffold a project, they run npm install. When they fix a build error, they might add a package.

A human developer might notice something off:

  • "Wait, why is there a postinstall script?"
  • "I don't remember adding plain-crypto-js"
  • "Why did 3 new transitive dependencies appear?"

An AI agent won't notice any of this. It sees npm install succeed, marks the task as done, and moves on. The RAT is already running on your machine.

Your AI agent has shell access. That makes it an attack surface.

It Gets Worse: Real-Time Weaponisation

The same day the axios attack landed, Claude Code's source was exposed via npm sourcemaps. Within hours, attackers registered typosquat packages targeting developers who tried to compile the leaked source:

  • color-diff-napi — squatting an Anthropic internal package name
  • modifiers-napi — same attacker, disposable email

Supply chain attacks are now reactive. Attackers watch trending repos and weaponise them in real-time. If your AI agent is installing packages from a hot new project, it's walking into a trap.

Update: It's a Coordinated Campaign (April 4)

Since this article was published, the picture has gotten significantly worse.

The axios compromise wasn't a one-off. Socket's latest research confirms it's part of a coordinated social engineering campaign targeting the highest-impact npm maintainers in the ecosystem.

Maintainers who have confirmed they were targeted by the same campaign:

  • Jordan Harband — TC39 member, maintains hundreds of ECMAScript polyfills (billions of monthly downloads)
  • John-David Dalton — creator of Lodash (137M+ weekly downloads)
  • Matteo Collina — Node.js TSC Chair, lead maintainer of Fastify, Pino, and Undici (billions of downloads/year)
  • Scott Motte — creator of dotenv (114M+ weekly downloads)
  • Feross Aboukhadijeh — Socket CEO, creator of WebTorrent, buffer, and dozens of widely used packages
  • Wes Todd — Express TC member, Node Package Maintenance Working Group
  • Multiple Socket engineers themselves

The attack pattern is consistent: social engineering via Slack or email, appearing as legitimate company outreach, then asking the maintainer to install software — the payload. The goal is always the same: get npm publish access.

As Feross put it: "This kind of targeted social engineering against individual maintainers is the new normal. These campaigns are sophisticated and persistent. We're seeing them across the ecosystem and they're only accelerating."

If they'd compromised Lodash or dotenv instead of axios, the blast radius would have been catastrophic. Every Node.js project that reads environment variables. Every project that uses _.get() or _.merge().

Write access to npm is the prize. And AI agents are the unwitting delivery mechanism.

What Snyk and npm audit Miss

Traditional security tools (Snyk, Dependabot, npm audit) check for known CVEs — vulnerabilities that have already been reported, catalogued, and assigned an advisory number.

The axios 1.14.1 attack wouldn't have been in Snyk's database for hours after publication. During those hours, every npm install was compromised.

What's needed is zero-day detection:

  • Flag packages that didn't exist yesterday
  • Detect typosquats by name similarity (Levenshtein distance)
  • Scan postinstall scripts for payload downloads, OS detection, credential access, self-deletion
  • Block known malicious packages instantly, before any CVE exists

What We Built

At Drakon Systems, we run a fleet of 6 AI agents that manage everything from school administration to e-commerce operations. When the axios attack hit, we asked ourselves: "Would our agents have caught this?"

The honest answer was: partially. Our memory security layer (ShieldCortex) would catch credential exfiltration through agent memory, but it couldn't intercept npm install itself.

So we built a dependency scanner. In 24 hours.

$ shieldcortex audit --deps

  [X] CRITICAL  Known malicious: plain-crypto-js
  [!] HIGH      Typosquat detected: "axois""axios"
  [!] HIGH      Suspicious postinstall: downloads payload, detects OS
  [~] MEDIUM    New package (< 7 days) with install script

  🛡️ Run with --auto-protect to quarantine threats automatically
Enter fullscreen mode Exit fullscreen mode

What it checks:

  1. Known malicious blocklistplain-crypto-js, color-diff-napi, modifiers-napi, and every known bad package. Finding = instant CRITICAL.

  2. Typosquat detection — Compares every installed package name against 34 popular packages using Levenshtein distance. axois? Flagged. loadsh? Flagged. crytpo-js? Flagged.

  3. Suspicious postinstall scripts — 16 regex patterns covering:

    • Payload downloads (curl, wget, fetch)
    • Command execution (exec, spawn, child_process)
    • OS fingerprinting (process.platform, os.type())
    • Self-deletion (rm -rf, unlink)
    • Credential access (.ssh, .aws, .npmrc, HOME)

  4. Package age — Flags packages published in the last 7 days that have install hooks. Brand new + postinstall = suspicious.

Pro tier adds teeth: 

# Scan and auto-quarantine critical threats
shieldcortex audit --deps --auto-protect

# Permanently remove known malicious packages
shieldcortex audit --deps --clean --force
Enter fullscreen mode Exit fullscreen mode

Free users see the fire. Pro users put it out.

The Uncomfortable Question

Every AI coding agent on the market today has some form of shell access. They can run npm install, pip install, cargo add, go get. Each of these is an unsigned code execution on your machine.

We've given AI agents the ability to install arbitrary code, and we're trusting the package registry to be safe.

After this week, we know it isn't.

If your AI agent has shell access, you need a supply chain firewall. Not eventually. Now.

Get Started 

npm install -g shieldcortex
shieldcortex audit --deps
Enter fullscreen mode Exit fullscreen mode

Scan your project. Check your global installs. See what's lurking in your node_modules.

The axios attack was a wake-up call. The question is whether you'll hit snooze.

Built by Drakon Systems — we run 6 AI agents in production. Security isn't theoretical for us.

Top comments (0)