Two malicious versions of Axios were briefly published to npm on March 31 after a social engineering attack compromised maintainer Jason Saayman's machine. The attacker posed as a legitimate company, gained access to his device, hijacked browser sessions and cookies, and used his own credentials to publish a remote access trojan targeting macOS, Windows, and Linux. Because the attacker operated with the maintainer's real access, protections like 2FA and OIDC-based publishing offered no defense. The incident highlights the systemic vulnerability of the open source ecosystem: widely used packages often depend on solo maintainers who face sophisticated attacks without institutional support, making maintainers themselves a critical and underprotected layer of the software supply chain.
Table of contents
A Targeted Social Engineering Attack #The Burden on Solo Maintainers as Supply Chain Targets #Sort: