CyberLicht

Field Notes

The Package That Wasn't

31 March 2025

It started as maintenance work. A client’s WordPress site, routine dependency update, nothing that should have taken more than an hour.

We ran npm install. Among the packages pulled in was axios — one of the most widely used HTTP libraries in the JavaScript ecosystem. Hundreds of thousands of projects depend on it. You don’t think twice about axios.

We thought twice.

Something in the install felt off. The package hash didn’t match what we expected. A quick check against the registry confirmed it: the version we’d pulled was not the version that had been published. Somewhere between the registry and our machine, or inside the registry itself, something had been substituted.

This is a supply chain attack. Not a theoretical one. Not a conference talk. One happening in real time, on a client’s production environment, during what was supposed to be a quiet Tuesday.

What We Did

We isolated the environment immediately. Nothing from that install touched the client’s server. We pulled the full dependency tree and checked hashes against known-good versions. We documented everything — package name, version, hash, timestamp, registry response.

We then did what most people don’t: we reported it upstream. Supply chain incidents only get fixed if someone says something.

The client’s site went live two days later, clean, with a locked dependency manifest and a note in their documentation explaining why.

What This Means

The npm ecosystem has a trust problem. Not a new one — but an underappreciated one. When you run npm install, you are executing code written by strangers, distributed through infrastructure you do not control, pulled into an environment that has access to your secrets, your filesystem, and your network.

Most developers know this abstractly. Few treat it as an operational reality.

Some things worth doing:

  • Lock your dependency versions. package-lock.json exists for a reason. Use it.
  • Verify hashes on anything critical. Tools like npm audit are a start, not a finish.
  • Treat your build environment as hostile. It might be.
  • Know what your dependencies actually do. axios makes HTTP requests. If your version of axios is also doing something else, that is worth knowing.

Supply chain attacks are increasing in frequency and sophistication. The target is usually not you specifically — it is anyone who installs without looking. The defence is not complicated. It is just attention.

We got lucky. Or rather: we were paying attention. On a quiet Tuesday, that was enough.

← All field notes