Active Incident - axios npm Attack · March 31, 2026

Prevent open source dependency attacks from impacting your software supply chain.

Open source packages are one of the most targeted attack surfaces in modern software development. When a popular package is compromised, millions of machines can be infected in hours.

Pulling through private registries leaves your organization open for attack. Cloudsmith sits between your developers and public registries, applying cooldown policies, real-time malicious package detection, and policy enforcement before anything reaches your pipeline.

Dependency attacks

The scale of the problem, in numbers.

Software supply chain attacks aren't an edge case. For nearly half of all engineering teams, they're a lived reality - and the frequency, sophistication, and regulatory consequences of these attacks are only increasing. The question facing engineering and security leaders today isn't whether their supply chain will be targeted. It's whether they'll have the controls in place to stop an attack before it becomes a breach, a headline, or a compliance failure.
100M+

weekly downloads affected in the latest axios breach

80-90%

of the typical enterprise codebase comes from open source dependencies

AI generated code

The software supply chain has never been a more attractive target and AI is accelerating the exposure.

40-50% of committed code is now AI-generated. Agents can pull dependencies automatically, at a scale and speed existing review processes can’t follow, with no approved package list and no concept of your security posture.

Meanwhile, a single compromised package can cascade through millions of downstream environments simultaneously. The blast radius of one impacted dependency has never been larger.

40-50%

of committed code is now written with AI assistance - code that has no organisational memory, no approved package list, and no concept of your security posture

0%

of engineering teams experienced a security incident caused by a third-party dependency in the past 12 months

The threat landscape

These aren't hypothetical risks. They're happening now, repeatedly, and at scale.

Supply chain attacks have moved from occasional incidents to a sustained campaign against the open source ecosystem. The axios breach is just the latest example - a reminder that the next target is rarely predictable, but the attack pattern almost always is.
Axios npm attack

Axios npm - March 31, 2026

On March 31, 2026, axios – the JavaScript HTTP client with over 100 million weekly downloads – was compromised via a hijacked maintainer account, injecting a hidden dependency whose sole purpose was to deploy a Remote Access Trojan across macOS, Windows, and Linux. The attack was pre-planned, sophisticated, and designed to leave no trace. Cloudsmith's cooldown policies would have blocked the malicious dependency outright – it didn't exist before the day of the attack.
How Cloudsmith helps keep organizations safe

Enforce policy at ingestion Stay protected as the threat landscape changes.

Securing the software supply chain means evaluating every package request before it reaches a developer or build pipeline. Cloudsmith sits between your developers and public registries, giving teams the infrastructure to write and enforce policies that apply automatically and continuously.
    Complete supply chain visibility:
    You can’t govern what you can’t see. Cloudsmith gives teams a single place to manage every artifact type, every format, across every team – with an audit trail of what entered, how it was evaluated, and where it stands today.
    Cooldown policies:
    Many supply chain attacks rely on newly registered packages staged hours before they're weaponized. Teams can write policies that block packages published within a configurable time window, stopping attacks before malicious behavior has been formally reported.
    Malicious package policies:
    Cooldown policies are time-bound by design. Once a package clears the window, you need a permanent layer of defense. Cloudsmith continuously ingests from the OpenSSF Malicious Packages project via OSV.dev. When a package is identified as malicious, the malicious package policy type blocks it immediately.

Secure your software supply chain

Most teams find out their supply chain has been compromised when it's too late. There's a better way. Cloudsmith is the interception layer that stops malicious packages before they reach your build environment - book your software supply chain assessment today.