Hacker News — 2026-04-04#
Top Story#
Post Mortem: axios NPM supply chain compromise
The JavaScript ecosystem is on fire again, as the lead maintainer of the incredibly popular axios library was compromised via a targeted social engineering campaign that deployed RAT malware. Attackers published two malicious versions (1.14.1 and 0.30.4) that inject a dependency installing a remote access trojan across macOS, Windows, and Linux. While the packages were only live for three hours, the blast radius is massive, and anyone who ran a fresh install between 00:21 and 03:15 UTC on March 31 needs to nuke their node_modules and rotate all secrets immediately.