Biggest Hack of 2026

The popular JavaScript HTTP library Axios was compromised in a supply chain attack via version 114 on npm. A malicious post-install script (setup.js) was injected that detects the user's OS and downloads OS-specific malware, which then calls out to a remote host (sfrclack.com). The attack used the maintainer's old npm token to push the malicious commit, bypassing his MFA protections. Any project that recently updated to the compromised version is at risk.