The Three Hour Attack Window npm Leaves Open by Default
In late March 2026, an attacker hijacked the npm account of axios's lead maintainer and published backdoored versions of the library. Axios has 100 million weekly downloads. The packages were live for about three hours before being pulled, with CISA and Singapore's CSA both issuing advisories.

