Summarizer

HN Thread Summary
1 Fetch Pages
2 Extract Text
3 Analyze Content
4 Tag Comments
5 Summarize Topics

Axios compromised on NPM – Malicious versions drop remote access trojan

738 comments · 32,832 words

Complete Created: Apr 1, 05:22 AM (00:09:53)

Models: Claude Opus 4.5 (analyze) · Gemini 3 Flash (tag) · Gemini 3 Flash (summarize)

Article URL: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan (7,885 words)

Article Summary

On March 30, 2026, StepSecurity discovered that two malicious versions of axios (1.14.1 and 0.30.4), a popular npm HTTP client with over 100 million weekly downloads, were published using a compromised maintainer account. The attacker injected a fake dependency called plain-crypto-js that executed a postinstall script deploying a cross-platform remote access trojan (RAT) targeting macOS, Windows, and Linux. The malware contacted a command-and-control server, delivered platform-specific payloads, then deleted evidence of its presence. The compromised versions were live for approximately 2-3 hours before being unpublished.

Comment Summary

The discussion centers on the persistent vulnerability of npm's ecosystem to supply chain attacks, with commenters debating solutions including batteries-included standard libraries, minimum package release age delays, sandboxing development environments, and reducing dependency counts. Many express frustration that JavaScript's ecosystem culture encourages excessive dependencies, while others note these attacks affect all package ecosystems. Practical mitigations discussed include using pnpm/bun which prompt for postinstall scripts, setting cooldown periods for new releases, and running package installations in containers. Some argue for abandoning npm entirely while others defend JavaScript but criticize npm's security practices.

Topics

Raw Files

HN HTML Article HTML HN Text Article Text

Execution Log

[2026-04-01T12:22:53.227Z] Starting step: fetch_pages (attempt 1)
[2026-04-01T12:22:53.263Z] Fetching HN page: https://news.ycombinator.com/item?id=47582220
[2026-04-01T12:22:53.494Z] Fetched HN page: 1123762 bytes
[2026-04-01T12:22:53.753Z] Extracted title: Axios compromised on NPM – Malicious versions drop remote access trojan
[2026-04-01T12:22:53.774Z] Extracted linked URL: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
[2026-04-01T12:22:53.793Z] Fetching linked article: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
[2026-04-01T12:22:53.894Z] Fetched linked article: 254691 bytes
[2026-04-01T12:22:54.244Z] Completed step: fetch_pages in 991ms
[2026-04-01T12:22:54.532Z] Starting step: extract_text (attempt 1)
[2026-04-01T12:22:54.649Z] Extracted HN text: 238902 chars
[2026-04-01T12:22:54.849Z] Extracted 738 comments
[2026-04-01T12:22:55.156Z] Extracted linked article text: 53709 chars, 7885 words
[2026-04-01T12:22:55.338Z] Comment word count: 32832
[2026-04-01T12:22:55.482Z] Completed step: extract_text in 928ms
[2026-04-01T12:22:55.751Z] Starting step: analyze_content (attempt 1)
[2026-04-01T12:22:55.951Z] Calling claude-opus-4-5-20251101 (article: 53709 chars, 738 comments)
[2026-04-01T12:23:40.726Z] Analysis complete: 20 topics, 62658 input tokens, 1121 output tokens
[2026-04-01T12:23:40.771Z] Completed step: analyze_content in 44996ms
[2026-04-01T12:23:40.960Z] Starting step: tag_comments (attempt 1)
[2026-04-01T12:23:41.008Z] Tagging 738 comments with 20 topics (batch size: 50)
[2026-04-01T12:23:41.030Z] Processing batch 1/15 (50 comments)
[2026-04-01T12:24:15.847Z] Batch 1 complete: 60 tags assigned
[2026-04-01T12:24:15.868Z] Processing batch 2/15 (50 comments)
[2026-04-01T12:24:54.822Z] Batch 2 complete: 74 tags assigned
[2026-04-01T12:24:54.841Z] Processing batch 3/15 (50 comments)
[2026-04-01T12:25:13.307Z] Batch 3 complete: 65 tags assigned
[2026-04-01T12:25:13.328Z] Processing batch 4/15 (50 comments)
[2026-04-01T12:25:28.878Z] Batch 4 complete: 64 tags assigned
[2026-04-01T12:25:28.899Z] Processing batch 5/15 (50 comments)
[2026-04-01T12:25:52.401Z] Batch 5 complete: 55 tags assigned
[2026-04-01T12:25:52.424Z] Processing batch 6/15 (50 comments)
[2026-04-01T12:26:11.384Z] Batch 6 complete: 58 tags assigned
[2026-04-01T12:26:11.406Z] Processing batch 7/15 (50 comments)
[2026-04-01T12:26:38.059Z] Batch 7 complete: 61 tags assigned
[2026-04-01T12:26:38.080Z] Processing batch 8/15 (50 comments)
[2026-04-01T12:27:00.618Z] Batch 8 complete: 70 tags assigned
[2026-04-01T12:27:00.638Z] Processing batch 9/15 (50 comments)
[2026-04-01T12:27:29.402Z] Batch 9 complete: 77 tags assigned
[2026-04-01T12:27:29.425Z] Processing batch 10/15 (50 comments)
[2026-04-01T12:27:55.358Z] Batch 10 complete: 76 tags assigned
[2026-04-01T12:27:55.379Z] Processing batch 11/15 (50 comments)
[2026-04-01T12:28:32.463Z] Batch 11 complete: 74 tags assigned
[2026-04-01T12:28:32.485Z] Processing batch 12/15 (50 comments)
[2026-04-01T12:29:16.029Z] Batch 12 complete: 80 tags assigned
[2026-04-01T12:29:16.053Z] Processing batch 13/15 (50 comments)
[2026-04-01T12:29:37.191Z] Batch 13 complete: 65 tags assigned
[2026-04-01T12:29:37.210Z] Processing batch 14/15 (50 comments)
[2026-04-01T12:29:55.991Z] Batch 14 complete: 69 tags assigned
[2026-04-01T12:29:56.015Z] Processing batch 15/15 (38 comments)
[2026-04-01T12:30:19.426Z] Batch 15 complete: 55 tags assigned
[2026-04-01T12:30:19.473Z] Tagging complete: 1003 total tags, 80436 input tokens, 16742 output tokens
[2026-04-01T12:30:19.493Z] Completed step: tag_comments in 398514ms
[2026-04-01T12:30:19.701Z] Starting step: summarize_topics (attempt 1)
[2026-04-01T12:30:19.734Z] Summarizing 20 topics
[2026-04-01T12:30:19.782Z] Summarizing topic 1/20: "Batteries-included ecosystems # Debate over whether languages with comprehensive standard libraries (Go, .NET, Java) better protect against supply chain attacks by reducing third-party dependencies, versus the rigidity and maintenance burden of large standard libraries" (119 comments)
[2026-04-01T12:30:27.661Z] Topic 1 summarized (9930 in, 178 out)
[2026-04-01T12:30:27.698Z] Summarizing topic 2/20: "Minimum release age delays # Discussion of npm, pnpm, bun, and uv configurations that block packages published within 7 days, noting different time units across tools and concerns about delayed security patches" (151 comments)
[2026-04-01T12:30:38.571Z] Topic 2 summarized (8756 in, 161 out)
[2026-04-01T12:30:38.611Z] Summarizing topic 3/20: "Postinstall script dangers # Focus on how the attack leveraged postinstall hooks, with recommendations to use pnpm/bun which prompt for script approval, or set ignore-scripts=true globally" (33 comments)
[2026-04-01T12:30:47.126Z] Topic 3 summarized (2979 in, 147 out)
[2026-04-01T12:30:47.158Z] Summarizing topic 4/20: "Sandboxing package managers # Suggestions to run npm/pip/cargo in sandboxes using bwrap, Docker, Apple containers, or Qubes OS to limit blast radius of malicious code" (44 comments)
[2026-04-01T12:30:53.001Z] Topic 4 summarized (3483 in, 159 out)
[2026-04-01T12:30:53.034Z] Summarizing topic 5/20: "Trusted publishing and OIDC # Discussion of how npm's trusted publishing via GitHub Actions OIDC could prevent attacks, noting axios uses this but the account takeover bypassed it" (15 comments)
[2026-04-01T12:31:01.139Z] Topic 5 summarized (1300 in, 141 out)
[2026-04-01T12:31:01.177Z] Summarizing topic 6/20: "Transitive dependency risks # Concerns that even removing axios directly still pulls it as a transitive dependency from major vendors like Datadog, Slack, and Twilio" (28 comments)
[2026-04-01T12:31:07.986Z] Topic 6 summarized (2201 in, 184 out)
[2026-04-01T12:31:08.014Z] Summarizing topic 7/20: "Fetch as axios replacement # Arguments that native fetch has been stable since Node 21, making axios unnecessary, though many legacy codebases and LLM-generated code still use it" (75 comments)
[2026-04-01T12:31:16.317Z] Topic 7 summarized (4556 in, 168 out)
[2026-04-01T12:31:16.346Z] Summarizing topic 8/20: "Developer machine compromise # Emphasis that postinstall scripts run on local machines during npm install, making developer workstations the primary attack target, not just CI/CD" (18 comments)
[2026-04-01T12:31:23.462Z] Topic 8 summarized (1697 in, 143 out)
[2026-04-01T12:31:23.493Z] Summarizing topic 9/20: "Account security failures # Discussion of how the maintainer's npm account was hijacked despite 2FA requirements, with speculation about token theft or phishing" (38 comments)
[2026-04-01T12:31:29.864Z] Topic 9 summarized (2403 in, 164 out)
[2026-04-01T12:31:29.895Z] Summarizing topic 10/20: "Anti-forensics techniques # Detailed analysis of how the malware deleted itself and replaced package.json with a clean stub reporting a different version number to evade detection" (4 comments)
[2026-04-01T12:31:36.047Z] Topic 10 summarized (840 in, 150 out)
[2026-04-01T12:31:36.080Z] Summarizing topic 11/20: "Network egress monitoring # How StepSecurity Harden-Runner detected the attack by flagging anomalous outbound connections to the C2 domain sfrclak.com" (20 comments)
[2026-04-01T12:31:43.992Z] Topic 11 summarized (1502 in, 152 out)
[2026-04-01T12:31:44.024Z] Summarizing topic 12/20: "AI and coding agents # Concerns that LLM coding tools like Claude Code automatically run npm install, creating attack surface without human review of new dependencies" (52 comments)
[2026-04-01T12:31:49.983Z] Topic 12 summarized (4331 in, 144 out)
[2026-04-01T12:31:50.062Z] Summarizing topic 13/20: "Dependency culture criticism # Frustration with JavaScript ecosystem's culture of importing packages for trivial functionality, contrasted with C's single-file libraries like SQLite" (103 comments)
[2026-04-01T12:31:57.882Z] Topic 13 summarized (9510 in, 144 out)
[2026-04-01T12:31:57.914Z] Summarizing topic 14/20: "CI/CD pipeline security # Discussion of running npm ci --ignore-scripts in pipelines, using ephemeral runners, and rotating secrets after potential compromise" (23 comments)
[2026-04-01T12:32:04.307Z] Topic 14 summarized (2076 in, 167 out)
[2026-04-01T12:32:04.351Z] Summarizing topic 15/20: "Version pinning limitations # Acknowledgment that while lockfiles help, teams using automated update tools like Renovate or Dependabot may still pull compromised versions quickly" (43 comments)
[2026-04-01T12:32:10.664Z] Topic 15 summarized (3846 in, 128 out)
[2026-04-01T12:32:10.695Z] Summarizing topic 16/20: "Enterprise package mirroring # Mention that large companies use Artifactory to mirror packages internally, providing a buffer against immediate supply chain attacks" (11 comments)
[2026-04-01T12:32:17.675Z] Topic 16 summarized (783 in, 111 out)
[2026-04-01T12:32:17.709Z] Summarizing topic 17/20: "Linux distribution model # Arguments that curated package repositories like Debian's approach of staging and human review could apply to npm ecosystem" (37 comments)
[2026-04-01T12:32:24.733Z] Topic 17 summarized (3283 in, 177 out)
[2026-04-01T12:32:24.763Z] Summarizing topic 18/20: "Cross-platform RAT payloads # Technical analysis of the malware's macOS (AppleScript), Windows (VBScript/PowerShell), and Linux (Python) specific payloads and persistence mechanisms" (4 comments)
[2026-04-01T12:32:29.775Z] Topic 18 summarized (593 in, 114 out)
[2026-04-01T12:32:29.805Z] Summarizing topic 19/20: "Package manager alternatives # Discussion of whether package managers are fundamentally flawed, with references to Odin language's no-package-manager philosophy and Go's vendoring approach" (59 comments)
[2026-04-01T12:32:37.154Z] Topic 19 summarized (6657 in, 170 out)
[2026-04-01T12:32:37.185Z] Summarizing topic 20/20: "MFA and security enforcement # Debate over whether npm should mandate hardware keys or phishing-resistant 2FA for popular package maintainers, and how to handle CI/CD publishing" (45 comments)
[2026-04-01T12:32:44.129Z] Topic 20 summarized (3218 in, 154 out)
[2026-04-01T12:32:44.149Z] Summarization complete: 20 topics, 73944 input tokens, 3056 output tokens
[2026-04-01T12:32:44.168Z] Completed step: summarize_topics in 144443ms
[2026-04-01T12:32:44.205Z] Job completed successfully

LLM Invocations (Total: $0.4779)

Time Purpose Model Duration Outcome Input Output Cost
05:23 AM Generate summaries claude-opus-4-5-20251101 44.4s Success Input (62,658) Output (1,121) $0.3413
05:24 AM Tag comments gemini-3-flash-preview 34.5s Success Input (6,132) Output (1,091) $0.0063
05:24 AM Tag comments gemini-3-flash-preview 38.6s Success Input (5,385) Output (1,157) $0.0062
05:25 AM Tag comments gemini-3-flash-preview 18.2s Success Input (6,528) Output (1,128) $0.0066
05:25 AM Tag comments gemini-3-flash-preview 15.3s Success Input (5,207) Output (1,107) $0.0059
05:25 AM Tag comments gemini-3-flash-preview 23.2s Success Input (4,411) Output (1,072) $0.0054
05:26 AM Tag comments gemini-3-flash-preview 18.5s Success Input (4,912) Output (1,086) $0.0057
05:26 AM Tag comments gemini-3-flash-preview 26.3s Success Input (4,516) Output (1,104) $0.0056
05:27 AM Tag comments gemini-3-flash-preview 22.1s Success Input (4,810) Output (1,138) $0.0058
05:27 AM Tag comments gemini-3-flash-preview 28.4s Success Input (6,562) Output (1,175) $0.0068
05:27 AM Tag comments gemini-3-flash-preview 25.6s Success Input (6,736) Output (1,189) $0.0069
05:28 AM Tag comments gemini-3-flash-preview 36.8s Success Input (5,989) Output (1,173) $0.0065
05:29 AM Tag comments gemini-3-flash-preview 43.1s Success Input (6,071) Output (1,183) $0.0066
05:29 AM Tag comments gemini-3-flash-preview 20.8s Success Input (4,300) Output (1,129) $0.0055
05:29 AM Tag comments gemini-3-flash-preview 18.3s Success Input (4,802) Output (1,138) $0.0058
05:30 AM Tag comments gemini-3-flash-preview 23.1s Success Input (4,075) Output (872) $0.0047
05:30 AM Summarize topic gemini-3-flash-preview 7.6s Success Input (9,930) Output (178) $0.0055
05:30 AM Summarize topic gemini-3-flash-preview 9.8s Success Input (8,756) Output (161) $0.0049
05:30 AM Summarize topic gemini-3-flash-preview 8.1s Success Input (2,979) Output (147) $0.0019
05:30 AM Summarize topic gemini-3-flash-preview 5.5s Success Input (3,483) Output (159) $0.0022
05:31 AM Summarize topic gemini-3-flash-preview 7.8s Success Input (1,300) Output (141) $0.0011
05:31 AM Summarize topic gemini-3-flash-preview 6.4s Success Input (2,201) Output (184) $0.0017
05:31 AM Summarize topic gemini-3-flash-preview 8.0s Success Input (4,556) Output (168) $0.0028
05:31 AM Summarize topic gemini-3-flash-preview 6.8s Success Input (1,697) Output (143) $0.0013
05:31 AM Summarize topic gemini-3-flash-preview 6.0s Success Input (2,403) Output (164) $0.0017
05:31 AM Summarize topic gemini-3-flash-preview 5.8s Success Input (840) Output (150) $0.0009
05:31 AM Summarize topic gemini-3-flash-preview 7.6s Success Input (1,502) Output (152) $0.0012
05:31 AM Summarize topic gemini-3-flash-preview 5.6s Success Input (4,331) Output (144) $0.0026
05:31 AM Summarize topic gemini-3-flash-preview 7.5s Success Input (9,510) Output (144) $0.0052
05:32 AM Summarize topic gemini-3-flash-preview 6.1s Success Input (2,076) Output (167) $0.0015
05:32 AM Summarize topic gemini-3-flash-preview 6.0s Success Input (3,846) Output (128) $0.0023
05:32 AM Summarize topic gemini-3-flash-preview 6.7s Success Input (783) Output (111) $0.0007
05:32 AM Summarize topic gemini-3-flash-preview 6.7s Success Input (3,283) Output (177) $0.0022
05:32 AM Summarize topic gemini-3-flash-preview 4.7s Success Input (593) Output (114) $0.0006
05:32 AM Summarize topic gemini-3-flash-preview 7.0s Success Input (6,657) Output (170) $0.0038
05:32 AM Summarize topic gemini-3-flash-preview 6.7s Success Input (3,218) Output (154) $0.0021

← Back to all jobs