In March 2026, someone hijacked a maintainer account for Axios, a JavaScript HTTP library downloaded more than 45 million times per week on npm, and pushed poisoned versions straight to the public registry. Any developer or automated build pipeline that pulled the latest release during that window may have ingested code designed to steal data or open a backdoor. The incident was not an isolated stunt. According to Sonatype’s 2025 State of the Software Supply Chain report, the number of malicious packages detected across major open-source registries climbed 73% year over year, and security researchers say the pace has only accelerated into 2026.
The Cyber Security Agency of Singapore formalized the warning in May 2026 with advisory AD-2026-003, a document that treats supply-chain poisoning not as a theoretical risk but as an active campaign. The advisory, published on the agency’s official advisory page, catalogs two primary attack vectors: maintainer account takeovers and malicious dependency injection. Both exploit the trust model that makes open-source development fast. When an attacker seizes a maintainer’s credentials, they can push tainted updates to packages that thousands of downstream applications already depend on. Because most build pipelines pull updates automatically, a single compromised package can reach production systems before anyone notices the change.
The Axios breach and what it revealed
Axios sits at the center of modern web development. It handles HTTP requests for front-end apps, backend services, and everything in between. Its npm download count places it among the top 50 most-used JavaScript packages globally, which is precisely why attackers targeted it. The CSA advisory confirms that unauthorized versions were published directly to the npm registry, though it stops short of specifying how many developers downloaded those versions before they were pulled.
That gap matters. If the compromised credentials came from a phishing attack, the fix is phishing-resistant multi-factor authentication. If they were stolen from a leaky CI/CD pipeline, the response looks entirely different: hardened build infrastructure, narrower token scopes, and short-lived credentials. As of June 2026, Axios maintainers have not released a public post-mortem, and npm has not disclosed download counts for the malicious versions. Without those details, organizations that use Axios are left guessing at their own exposure.
The Axios case echoes a pattern that has repeated across the ecosystem for years. In 2024, a backdoor was discovered in xz-utils, a compression library embedded in nearly every Linux distribution, after a contributor spent two years building trust with maintainers before inserting malicious code. In 2021, the ua-parser-js package on npm was hijacked through a compromised maintainer account, affecting millions of weekly downloads. Each incident exposed the same structural weakness: open-source registries grant enormous distribution power to a small number of account holders, and the verification layer between a code push and a production deployment is often paper-thin.
How the attacks work
The CSA advisory describes two main techniques in detail. The first is account takeover. Attackers obtain maintainer credentials through phishing, credential stuffing, or token theft, then publish new versions of legitimate packages containing hidden payloads. Because downstream projects typically trust updates from known packages, the malicious code rides existing dependency chains into production.
The second technique is dependency poisoning, which includes typosquatting. Attackers register packages with names that closely resemble popular libraries. A developer who misspells axios as axois during installation could pull the attacker’s version instead. More sophisticated variants alter package metadata to redirect dependency resolution, a tactic the CSA advisory links to a September 2025 incident in which tampered metadata was used to evade automated security scans. Full details of that case have not been published in a standalone report, so its scope remains unclear.
What makes both vectors dangerous is automation. Continuous integration pipelines, automated dependency updates through tools like Dependabot or Renovate, and microservice architectures all amplify the blast radius of a single compromise. A poisoned package that enters one service can propagate laterally through shared internal registries, container images, and deployment artifacts.
The 73% figure and what it does (and doesn’t) tell us
Sonatype’s annual report, which tracks malicious packages across npm, PyPI, Maven Central, and other registries, recorded the 73% year-over-year increase through late 2025. The company’s methodology relies on its own scanning infrastructure and malware classification criteria, which means the number reflects one firm’s detection lens rather than a universal census. Other security vendors, including Snyk and Socket, have published broadly consistent trend lines showing sharp increases in supply-chain attacks, though their exact counts differ because they define “malicious” differently and scan different subsets of registries.
No single authoritative dataset from npm, GitHub, or PyPI reconciles these numbers into a unified figure with transparent criteria and time frames. That does not mean the trend is fabricated. It means readers should treat the 73% as a credible directional indicator rather than a precise measurement. The underlying pattern, confirmed independently by multiple security firms and now by a government advisory, is not in dispute: attackers are targeting open-source registries at a scale that dwarfs anything seen before 2023.
What the ecosystem is doing about it
The response has been uneven. npm began requiring two-factor authentication for maintainers of high-impact packages in 2022 and has gradually expanded that requirement. PyPI followed with a similar mandate for critical projects in 2024. The Sigstore project, backed by the Open Source Security Foundation, now provides free code-signing and provenance attestation tools that let consumers verify who published a package and from which source repository. npm introduced provenance attestations in 2023, allowing packages built through supported CI systems to carry a cryptographic link back to their source code.
Adoption, however, remains patchy. Provenance attestations are optional, and most packages on npm still lack them. Sigstore integration is growing in the Python and container ecosystems but is far from universal. The CSA’s Internet Hygiene Portal, referenced in the advisory, frames secure software development as part of ongoing organizational hygiene alongside patch management, access control, and monitoring, but it does not mandate specific tooling.
What development teams should do now
The CSA advisory recommends several defensive steps that organizations can act on immediately, and none of them require exotic tooling:
- Enable multi-factor authentication on all package registry accounts, especially those with publish permissions. Phishing-resistant methods like hardware security keys are preferable to SMS or TOTP codes.
- Pin dependency versions in lock files rather than accepting automatic updates to the latest release. This creates a deliberate review step before new code enters the build.
- Verify package checksums against known-good hashes before allowing builds to proceed. Tools like npm’s
--ignore-scriptsflag and Socket’s dependency analysis can flag unexpected changes. - Audit the full dependency tree, not just direct imports. Transitive dependencies, the packages your packages depend on, carry the same risks and are often overlooked.
- Revoke stale credentials. Unused publish tokens and API keys are among the easiest entry points for account takeovers. Cleaning them up takes minutes.
These measures raise the cost for attackers and shrink the window during which a poisoned package can spread undetected. They do not eliminate risk. No checklist can, when the underlying model depends on trusting code written and maintained by strangers on the internet.
A structural problem, not just a security bug
The deeper issue is architectural. Modern software is assembled, not written from scratch. A typical Node.js application pulls in hundreds of transitive dependencies, each maintained by individuals or small teams with varying security practices. The Axios incident, the xz-utils backdoor, and the steady drumbeat of typosquatting campaigns all point to the same conclusion: the open-source supply chain has become critical infrastructure, but it is not yet governed or defended like critical infrastructure.
Government advisories like Singapore’s AD-2026-003 signal that regulators are beginning to treat this as a policy problem, not just a technical one. The European Union’s Cyber Resilience Act, which takes effect in phases through 2027, will impose due-diligence requirements on software producers who distribute products containing open-source components. In the United States, CISA has pushed federal agencies toward software bills of materials (SBOMs) and secure-by-design principles.
For the teams writing and shipping code today, the message from the first half of 2026 is blunt. The registries that make modern development possible are under sustained, organized attack. Treating dependency management as a convenience rather than a security boundary is a bet that gets riskier with every compromised package that slips through.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
