post
The Axios case: what a compromised package teaches about trusting npm
On March 31, 2026, between 00:21 UTC and roughly 03:15 UTC, two versions of axios sat on the npm registry with an extra dependency declared in package.json: plain-crypto-js@4.2.1. That dependency was never imported at …