Axios Hijacked by NK Hackers, Next.js RCE Live, 66+ Packages Poisoned

axios@1.14.1 and axios@0.30.4 were published via a hijacked maintainer account on March 31, containing a RAT delivered through malicious transitive dependency plain-crypto-js@4.2.1; both poisoned versions dropped within 39 minutes of each other across a package with 100M+ weekly downloads.
Projects using caret ranges (^1.14.0, ^0.30.0) silently pulled the malicious code on next install; roll back to axios@1.13.5 or earlier and set ignore-scripts=true in ~/.npmrc.
GTIG attributes the attack to a North Korea-nexus threat actor whose npm permissions briefly exceeded the legitimate maintainers', delaying revocation. Socket's scanner flagged the package within 6 minutes of publication.
Malicious LiteLLM versions 1.82.7 and 1.82.8 were live for ~40 minutes on March 27 as part of the separate TeamPCP campaign; LiteLLM is estimated present in 36% of cloud environments.
AI recruiting firm Mercor ($10B valuation) confirmed compromise via a poisoned Trivy scanner dependency in its CI/CD pipeline; Lapsus$ claims to be auctioning 4TB of stolen data including candidate PII, SSH keys, source code, and cloud secrets.

a16z's post-mortem on TeamPCP traces the cascade: a Trivy scanner misconfiguration led to stolen tokens, which propagated CanisterWorm self-replication across GitHub Actions, Docker Hub, npm, PyPI, and the VS Code marketplace within 8 days, hitting 66+ npm packages.
ReversingLabs published an IR checklist specific to the Axios incident; Wiz, Snyk, Aikido, and StepSecurity have also released incident analyses.

Cisco Talos tracks threat cluster UAT-10608 exploiting the "React2Shell" flaw in Next.js App Router/React Server Components for RCE, with 766 hosts confirmed breached.
Post-compromise dropper deploys NEXUS Listener v3, harvesting env vars, SSH keys, K8s tokens, Docker configs, AWS/GCP/Azure IAM creds, and API keys for Stripe, OpenAI, Anthropic, and GitHub — with a GUI C2 dashboard for searching stolen sets; Talos accessed one unauthenticated instance.
Actions: patch Next.js immediately, enable secret scanning, enforce IMDSv2 on EC2, and rotate all credentials on any exposed deployment.

Cisco released patches for a critical IMC auth bypass (CVSS 9.8) allowing unauthenticated attackers full administrative access via a password-change handling flaw, alongside eight total critical/high CVEs including SSM remote compromise flaws.
Google pushed an emergency out-of-band Chrome update for a zero-day confirmed actively exploited in the wild.

StackHawk's 2026 AppSec Leader's Guide reports 87% of respondents use AI coding assistants and 51% of professional developers use them daily — increasing code volume and static findings while business logic and runtime flaws go undetected by SAST alone.
a16z's Axios analysis found AI agents select known-vulnerable dependency versions 50% more often than humans, frequently choosing harder-to-remediate versions; one researcher's LLM-hallucinated package name received 30,000 downloads in weeks, many from automated pipelines (a live slopsquatting data point).
FDM Group CISO Sawan Joshi summarizes the velocity problem: "Companies are using AI to produce code faster than they can consume it" — security review cannot keep pace; prompt injection and insecure defaults in AI-generated code are the leading deployed-app risks per practitioner reporting.

Get AppSec Briefing in your inbox