Active Incident - axios npm Attack · March 31, 2026

Prevent open source dependency attacks from impacting your software supply chain security.

Open source dependencies are the #1 vector for supply chain attack prevention failures in modern engineering teams. Cloudsmith is the DevSecOps tool that sits between your developers and public registries, applying real-time malicious package detection and policy enforcement before anything reaches your pipeline.

Dependency attacks

The scale of the software supply chain security problem, in numbers.

Software supply chain attacks aren't an edge case. For nearly half of all engineering teams, they're a lived reality - and the frequency, sophistication, and regulatory consequences of these attacks are only increasing. The question facing engineering and security leaders today isn't whether their supply chain will be targeted. It's whether they'll have the controls in place to stop an attack before it becomes a breach, a headline, or a compliance failure.
100M+

weekly downloads affected in the latest axios breach

80-90%

of the typical enterprise codebase comes from open source dependencies

AI generated code

AI is accelerating software supply chain security risks faster than existing DevSecOps tools can keep up.

40-50% of committed code is now AI-generated. Agents can pull dependencies automatically, at a scale and speed existing review processes can’t follow, with no approved package list and no concept of your security posture.

Meanwhile, a single compromised package can cascade through millions of downstream environments simultaneously. The blast radius of one impacted dependency has never been larger.

40-50%

of committed code is now written with AI assistance - code that has no organisational memory, no approved package list, and no concept of your security posture

0%

of engineering teams experienced a security incident caused by a third-party dependency in the past 12 months

The threat landscape

These aren't hypothetical risks. They're happening now, repeatedly, and at scale.

Supply chain attacks have moved from occasional incidents to a sustained campaign against the open source ecosystem. The axios breach is just the latest example - a reminder that the next target is rarely predictable, but the attack pattern almost always is.
Mini Shai-Hulud reaches Packagist: the intercom/intercom-php compromise explained

Mini Shai-Hulud reaches Packagist - May 1, 2026

On April 30, 2026, the Mini Shai-Hulud campaign moved beyond npm and into Packagist. Attackers replaced the contents of intercom/intercom-php@5.0.2, Intercom's official PHP client, with over 20.7 million lifetime installs, with a credential-stealing payload that executed at install time, before any application code ever called the library. PHP teams, Laravel applications, and continuous integration (CI) pipelines that updated to that version may need to treat affected environments as compromised.
How Cloudsmith helps keep organizations safe

Cloudsmith's supply chain attack prevention starts before malicious packages ever reach your pipeline.

Securing the software supply chain means evaluating every package request before it reaches a developer or build pipeline. Cloudsmith sits between your developers and public registries, giving teams the infrastructure to write and enforce policies that apply automatically and continuously.
    Complete supply chain visibility:
    You can’t govern what you can’t see. Cloudsmith gives teams a single place to manage every artifact type, every format, across every team – with an audit trail of what entered, how it was evaluated, and where it stands today – a core requirement for any enterprise DevSecOps tool.
    Cooldown policies:
    Many supply chain attacks rely on newly registered packages staged hours before they're weaponized. Teams can write policies that block packages published within a configurable time window, stopping attacks before malicious behavior has been formally reported.
    Malicious package policies:
    Cooldown policies are time-bound by design. Once a package clears the window, you need a permanent layer of defense. Cloudsmith continuously ingests from the OpenSSF Malicious Packages project via OSV.dev. When a package is identified as malicious, the malicious package policy type blocks it immediately.

Build enterprise-grade software supply chain security with Cloudsmith

Most teams find out their supply chain has been compromised when it's too late. There's a better way. Cloudsmith is the interception layer that stops malicious packages before they reach your build environment - book your software supply chain assessment today.