Technology

One of JavaScript's most popular libraries compromised by hackers — Axios npm package hit in supply chain attack that deployed a cross-platform RAT

Source

Tom's Hardware

Published

Mar 31, 2026

TL;DR

AI Generated

Hackers compromised the npm account of a lead Axios maintainer, publishing two malicious versions of the JavaScript HTTP client library, axios@1.14.1 and axios@0.30.4, injecting a hidden dependency that installed a cross-platform remote access trojan on developer machines. The trojan disguised as the legitimate crypto-js library made outbound connections to a command-and-control server, downloading a RAT payload on macOS, Windows, and Linux systems. The attack lasted roughly 18 hours, with advisories recommending compromised systems to rotate credentials immediately. The compromised versions were live for a few hours before being unpublished by npm.

Read Full Article

The Download: Trump’s new AI order, and smart glasses for warfare

President Trump signed a new AI order focusing on innovation and security, introducing a voluntary review system for tech companies to share models with the government before release. Meanwhile, defense-tech company Anduril is developing smart glasses for warfare with Meta, envisioning drone strike orders via eye-tracking and voice commands. SpaceX plans to raise $75 billion in an IPO, Meta scales back worker tracking for AI training, and Microsoft launches a new AI assistant. Additionally, concerns arise about AI's impact on mathematics, surveillance, and cybersecurity.

MIT Technology Review•

8 hours ago

Trump signs AI executive order seeking 30-day government access to frontier models before release — voluntary framework will include classified benchmark to determine which models qualify

President Trump has signed an executive order requiring AI companies to provide the government with early access to their most advanced models for up to 30 days before public release. This voluntary framework includes a classified benchmark to determine which models qualify for review. The order tasks agencies like the NSA and CISA with creating the benchmark and selecting trusted partners for review. The directive also establishes an "AI cybersecurity clearinghouse" to coordinate vulnerability scanning and patch distribution. Critics raise concerns about potential government interference in deciding who gains early access to powerful AI models.

Tom's Hardware•

8 hours ago

MIT Technology Review

The Download: AI can run your admin department now

AI is increasingly taking on basic administrative tasks for small businesses, from organizing notes to invoicing and social media planning. Anthropic has confidentially filed for an IPO ahead of OpenAI, aiming to go public this fall. The EU may exclude US cloud giants like Amazon, Microsoft, and Google from critical contracts to reduce dependence on US tech. Florida has become the first state to sue OpenAI over alleged child safety risks related to ChatGPT. Hackers exploited Meta AI to steal Instagram accounts, highlighting the risks of offloading support to AI.

MIT Technology Review•

1 day ago

Dozens of Red Hat packages backdoored through its official NPM channel

Red Hat's official NPM accounts were compromised, leading to the distribution of a malicious worm that steals sensitive credentials across machines. The attack targeted the @redhat-cloud-services channel, a trusted source for Red Hat packages, affecting over 30 packages. The malware collects credentials during the npm install process and spreads by republishing infected packages to other accounts. Organizations are advised to consider systems that installed the affected packages as potentially compromised, as the payload executes during installation, not runtime use. The malware encrypts and sends credentials through web requests, with a fallback option to publish data to compromised GitHub repositories.

Ars Technica•

2 days ago

The Download: Trump’s new AI order, and smart glasses for warfare

MIT Technology Review•

8 hours ago

Trump signs AI executive order seeking 30-day government access to frontier models before release — voluntary framework will include classified benchmark to determine which models qualify

Tom's Hardware•

8 hours ago

MIT Technology Review

The Download: AI can run your admin department now

MIT Technology Review•

1 day ago

Dozens of Red Hat packages backdoored through its official NPM channel

Ars Technica•

2 days ago

One of JavaScript's most popular libraries compromised by hackers — Axios npm package hit in supply chain attack that deployed a cross-platform RAT

TL;DR

Similar Articles

The Download: Trump’s new AI order, and smart glasses for warfare

Trump signs AI executive order seeking 30-day government access to frontier models before release — voluntary framework will include classified benchmark to determine which models qualify

The Download: AI can run your admin department now

Dozens of Red Hat packages backdoored through its official NPM channel

We use cookies

One of JavaScript's most popular libraries compromised by hackers — Axios npm package hit in supply chain attack that deployed a cross-platform RAT

TL;DR

Similar Articles

The Download: Trump’s new AI order, and smart glasses for warfare

Trump signs AI executive order seeking 30-day government access to frontier models before release — voluntary framework will include classified benchmark to determine which models qualify

The Download: AI can run your admin department now

Dozens of Red Hat packages backdoored through its official NPM channel