#npm

Analysis · May 4, 2026 · PatchDay Alert Editorial Desk

Three hours was the good outcome: npm's trust model and the Axios compromise

A DPRK threat actor backdoored two Axios versions on npm. Socket flagged the malicious dependency in six minutes. Nothing stopped the downstream publish fifteen minutes later. The system worked exactly as designed.