News16 July 2026

Uncloaked: The Software Supply Chain Had a Brutal Few Months (And It's Not Over)

Uncloaked: The Software Supply Chain Had a Brutal Few Months (And It's Not Over)

Uncloaked: The Software Supply Chain Had a Brutal Few Months (And It's Not Over)

Four separate npm compromises in four months, plus a subdomain takeover disclosed against one of the most security-conscious companies in the industry. This edition is less about a single bug and more about a pattern: the thing you trust because it's popular is no longer a safe assumption.

1. Axios, 100 million weekly downloads, hijacked to deliver malware

In March 2026, an attacker took over the npm publishing account of Axios' lead maintainer and pushed two malicious versions of the library, one of the most widely used HTTP clients in the JavaScript ecosystem. The poisoned releases pulled in a hidden dependency that silently installed a cross-platform remote access trojan during a routine npm install, then replaced its own files with clean copies to cover its tracks.

Why it matters: Axios sits underneath an enormous share of the JavaScript ecosystem. A single compromised maintainer account was enough to turn a routine dependency update into a malware delivery mechanism for anyone who ran npm install or npm update during the compromise window, no user action beyond a normal build required.

2. node-ipc joined the list two months later

In May 2026, three versions of node-ipc, a foundational Node.js library with over 10 million weekly downloads, were published carrying an obfuscated payload designed to steal cloud credentials, SSH keys, and CI/CD secrets straight off the machine running the install.

Why it matters: this wasn't a typosquat or a lookalike package, it was the real, trusted library, compromised at the source. The distinction matters because dependency-name allowlisting, a common mitigation, does nothing to stop this pattern.

3. A compromised GitHub account backdoored 32 packages in Red Hat's own npm namespace

In June 2026, an attacker who'd compromised a developer's GitHub account (itself infected via a malicious VS Code extension) used that access to inject malicious code into 32 packages published under Red Hat's own @redhat-cloud-services npm namespace, bypassing code review entirely. The payload, part of a malware kit researchers call Miasma, was designed to self-propagate by backdooring every package the victim could publish.

Why it matters: the entry point here wasn't the npm registry at all, it was a compromised developer tool (a VS Code extension) that gave an attacker enough access to poison a trusted publishing pipeline further downstream. The chain of trust broke several steps before the actual npm package did.

4. AsyncAPI became the most recent target, weeks ago

On July 14, 2026, Microsoft's threat intelligence team identified a coordinated compromise of the @asyncapi npm organization. Five malicious package versions across four packages were published within roughly ninety minutes, each carrying the same injected loader.

Why it matters: the pattern is accelerating, not slowing down. Security researchers tracking the npm registry describe 2026 as producing "a steady drumbeat" of these incidents, with attackers increasingly resembling well-resourced, sometimes state-linked groups rather than opportunistic individuals.

5. And separately: a subdomain takeover disclosed against Anthropic itself

Away from npm, security researcher Andrew Dorman (known as ACD421) disclosed a subdomain takeover vulnerability affecting Anthropic's infrastructure earlier this year, combining an OAuth open-redirect flaw with a dangling DNS record, a subdomain still pointed at a third-party service that was no longer in active use. It's a useful reminder that this category of bug isn't about carelessness; it happens to security-mature organizations too, because dangling DNS produces no error message on your side to flag that anything's wrong. The record just sits there, silently claimable.

Why it matters: we covered this exact failure mode in detail in a previous post. Subdomains accumulate as a natural byproduct of shipping software, and the ones nobody remembers are, by definition, the ones nobody is watching.

What actually connects these five stories

None of them are about a developer writing careless code. They're about trust placed in something upstream of the code you actually wrote, a maintainer account, a build tool, a DNS record from a project that ended two years ago. That's a harder category of risk to manage by just "being careful," because the vulnerable thing usually isn't yours.

Two practical takeaways if you're running a JavaScript-based site or app: pin dependency versions instead of accepting automatic updates on critical libraries, and audit your subdomain footprint periodically, not just when something breaks.


Sources: Trend Micro on the Axios compromise · StepSecurity on the node-ipc attack · Red Hat's advisory on the @redhat-cloud-services compromise · Microsoft Security on the AsyncAPI compromise · neteye-blog on the Anthropic subdomain takeover disclosure

Decloak checks for known vulnerable JavaScript libraries and forgotten, exposed subdomains automatically, alongside six other attack surfaces, in a free 15-second scan. Scan your site free →