Source: Socket
A malicious dependency injected into Axios—downloaded 100M times weekly—shows that even heavily-scrutinized open-source infrastructure remains vulnerable to multi-stage payload attacks, where attackers use initial compromise to deploy secondary malware rather than immediate damage. Enterprises must update their threat model: the risk isn’t just that dependencies get poisoned, but that poisoning can be weaponized in staged, evasive ways that delay detection across thousands of downstream applications. The attack surface of npm’s dependency graph now includes not just code review vulnerabilities but also timing-based exploitation tactics borrowed from advanced persistent threats.