The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.

Socket

The Axios npm supply chain attack (malicious version 1.14.1) had a much larger blast radius than initially apparent. While teams focused on checking lockfiles and node_modules, the real risk came from time-dependent dependency resolution: any tool using a semver range like ^1.x.x that performed a fresh install during the exposure window could pull in the compromised version — even without directly depending on Axios. This affected CI tools (Datadog CI, Nx, wait-on), developer CLIs (AWS Amplify CLI, Gatsby), and MCP servers. Lockfiles only protect previously resolved dependencies and don't apply to npx executions or fresh installs. The post explains why reconstructing exposure after the fact is nearly impossible, and provides concrete mitigations: using npm ci with committed lockfiles, replacing npx with npx --no --offline in CI, and using install-time firewall tools that can block malicious packages before execution.

The Hidden Blast Radius of the Axios Compromise

Exposure Across Widely Used Production SDKs #

Why the Blast Radius Is Larger Than It Looks #

The Hardest Part of Figuring Out If You Were Affected #

The Core Problem: Time-Dependent Dependency Resolution #

What Actually Helps (and What Doesn’t Fully Solve It) #

How to De-Risk Run Time Dependency Resolution #