npm axios attack: What happened and how to protect your supply chain

Nigel Douglas

Head of Developer Relations

Jenn Gile

Founder

LIVE BRIEFING: This week, axios - the JavaScript HTTP client with over 100 million weekly npm downloads - was compromised in a supply chain attack. A malicious actor used a compromised maintainer account to inject a remote access trojan into two active release branches.

Join our Head of Developer Relations, Nigel Douglas and Founder of OpenSourceMalware, Jenn Gile for a 30-minute live breakdown of the attack and practical steps any engineering team can take to reduce their exposure to this type of threat.

Live Briefing: Lessons from the axios npm attack

By submitting, you are subscribing to artiFACTS, Cloudsmith's monthly product newsletter. You can unsubscribe at any time.

Most software pipelines focus on writing code and deploying it, but the real risk is what happens in between. Join Cloudsmith and Octopus Deploy to learn how to build trust in software artifacts and enforce security and compliance through your Golden Path.

Ralph McTeggart 

Principal Engineer

Steve Fenton

Director of Developer Relations

Cristian Garcia

Senior Customer Success Manager

Golden Paths help scale developer productivity - but most stop before the point where trust actually breaks down.

Teams invest in source control and deployment automation, but what happens in between - artifact movement, approvals, and integrity - is often overlooked.

In this session, Cloudsmith and Octopus Deploy will show how to build trust continuously, from source to ship. You’ll leave with a clear mental model for trust in software delivery, and practical guidance on enforcing chain of custody, policy, and authorization through your Golden Path.

Because if you can’t prove it, you don’t control it.


Building trust from source to ship: The missing link in your Golden Path

Learn how to safely ingest, verify, and manage LLM models from Hugging Face in this live webinar. See a real workflow for quarantining, approving, and promoting models into production without slowing developers down.

Liana Ertz

Product Manager

Open model ecosystems like Hugging Face have transformed how teams build with AI. But with that speed comes risk: unverified publishers, mutable artifacts, dependency confusion, and models that change beneath your feet.

If you’re pulling models straight into production pipelines, you’re inheriting all the uncertainty of the public internet - into some of your most sensitive systems.

In this live session, Cloudsmith experts will show you how to take control of your AI supply chain. You’ll learn how to securely ingest, verify, and distribute LLM models from Hugging Face without slowing your teams down.

How to securely source your LLM models from Hugging Face

Sofware supply chain security

Attackers are exploiting typos and AI-generated code to slip malicious packages into software ecosystems. Learn how typosquatting and slopsquatting attacks work, why AI is accelerating them, and the practical steps to detect, prevent, and secure your supply chain.

As software ecosystems expand, attackers are exploiting the smallest cracks - from a single typo to a reused name - to sneak in malicious packages. The rise of AI-generated code has amplified this problem. Automated code suggestions, dependency management, and code-completion tools can unintentionally introduce lookalike or compromised packages into projects. These lookalikes are easy to miss and can bypass traditional security checks, creating serious downstream risk.

This session combines real-world examples with practical advice on how to detect, respond to, and prevent squatting attacks in a world where AI-driven development is changing how code is written, shared, and reused. You’ll leave with a clearer understanding of how these threats operate, a simple framework for detection and response, and actionable steps to make your package ecosystem more resilient.

From naming hygiene to automation strategies, this session will help your teams stay one step ahead of the next squatting campaign, whether it is targeting human developers or being propagated by AI-generated code, and keep your software supply chain secure.

Typosquatting & Slopsquatting: Detecting and defending against malicious packages

Don’t let hidden threats slow you down. Discover how Cloudsmith & Kusari enable proactive security to prevent tampering, improve visibility, and speed deployments—reducing rework and strengthening your software supply chain.

Ben Cotton

Open Source Program Lead

Security checks are more critical than ever as attackers increasingly target software supply chains, from dependencies to CI/CD systems. But speed is just as important. Slowing down development isn’t an option, so organizations need security that enables rapid releases without adding friction.

The real competitive advantage comes from building security into your workflow so that speed and safety go hand in hand. Whether you’re under pressure to reduce risk, or enabling speed at scale, you’ll leave with actionable steps to make your pipeline not only secure but trustworthy - and spookily efficient.

In this joint webinar from Cloudsmith and Kusari, our experts will show you how to turn security from a bottleneck into a force multiplier.

Live Briefing: Lessons from the axios npm attack

Things you'll learn

Speakers

Summary

Building trust from source to ship: The missing link in your Golden Path

How to securely source your LLM models from Hugging Face

Typosquatting & Slopsquatting: Detecting and defending against malicious packages

More Trust, Less Boo! Haunt-Free Deployments with Cloudsmith & Kusari