axiosにサプライチェーン攻撃が発生した話と、担当プロジェクトでやっていた備え

This page discusses a supply chain attack on the npm package "axios" that occurred on March 31, 2026. Attackers stole a maintainer's access token and published malicious versions (1.14.1 and 0.30.4) containing a fake dependency package "plain-crypto-js" that injected a trojan horse. The attack was detected within 6 minutes by Socket and removed by npm's security team within 3 hours. The author's project wasn't directly affected as it didn't depend on axios, but would have been protected by Takumi Guard, an npm registry proxy they had recently deployed. With supply chain attacks increasing, the author recommends implementing protective tools like registry proxies as a defense strategy.