Descriptions:
Dave’s Garage breaks down two significant security incidents that occurred on March 31, 2026, both with direct implications for developers and AI teams. The first is a sophisticated supply chain attack against Axios, the JavaScript HTTP client used in over 100 million npm installs per week. Attackers compromised the lead maintainer’s account and pushed two malicious versions (1.14.1 and legacy 030.4) that used a “phantom dependency” — an injected package called plain-cryptojs that triggered a post-install hook to silently download a remote access trojan targeting AWS keys, GitHub tokens, and database credentials. The dropper executed a self-destruct sequence after deployment to erase evidence. Google’s Threat Intelligence Group attributed the attack to North Korean group UNC 1069. Developers who ran npm install between midnight and 3:15 a.m. UTC are advised to treat affected machines as fully compromised and revoke all stored credentials.
The second incident involves Anthropic accidentally shipping a 60MB JavaScript source map file (cl.js.map) in a Claude Code CLI release, exposing approximately 512,000 lines of proprietary TypeScript across 1,900 source files. The repository was mirrored and forked over 40,000 times within hours. The leaked code offered a rare look at Anthropic’s engineering practices, including regex-based frustration detection to avoid spending tokens on sentiment analysis, and game-engine-style terminal rendering using an N32-backed character pool and bitmask-encoded style metadata.
Defensive recommendations for both incidents are practical: use npm ci and the –ignore-scripts flag for package installs, pin versions via lock files, and treat any machine that ran the affected Axios versions as compromised.
đź“ş Source: Dave’s Garage · Published April 02, 2026
🏷️ Format: News Analysis
