Supply Chain Siege: Axios Falls

Supply Chain Siege: Axios Falls

Axios, the JavaScript HTTP client with over 100 million weekly npm downloads, was compromised on March 30 when attackers hijacked the primary maintainer's npm account and published two poisoned releases: 1.14.1 and 0.30.4. The attack was surgically precise — zero lines of malicious code appeared in Axios itself. Instead, both releases injected a phantom dependency called plain-crypto-js, a package that had been pre-staged 18 hours earlier under a separate attacker-controlled account to establish publishing history and dodge "brand-new package" alarms. The dependency's sole purpose was a postinstall script that deployed a cross-platform remote access trojan targeting macOS, Windows, and Linux. Within two seconds of npm install, the dropper was already phoning home to a command-and-control server at sfrclak.com:8000 — before npm had finished resolving the rest of the dependency tree. (more: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan)

StepSecurity's forensic analysis revealed the operational sophistication. The attacker built three separate payloads: an AppleScript-based dropper for macOS that disguised itself as com.apple.act.mond (mimicking Apple's reverse-DNS daemon naming), a VBScript-to-PowerShell chain on Windows that copied powershell.exe to %PROGRAMDATA%\wt.exe (masquerading as Windows Terminal), and a Python RAT on Linux launched via nohup to detach from the npm process tree. After execution, the malware deleted itself and swapped its own package.json with a clean stub reporting version 4.2.0 instead of the malicious 4.2.1 — meaning any incident responder running npm list post-infection would see a version number that didn't match the advisory. The Harden-Runner runtime telemetry caught it anyway: kernel-level process events showed the RAT being re-parented to PID 1, confirming the daemonization technique. A critical forensic signal was that the compromised releases lacked the OIDC Trusted Publisher metadata present in every legitimate Axios release, meaning the attacker had obtained a long-lived classic npm access token — the kind npm officially deprecated but still supports via granular access tokens that can bypass 2FA. Lead maintainer Jason Seaman confirmed he had multi-factor authentication on "practically everything," making this a case where legacy token hygiene proved more important than MFA. (more: https://youtu.be/yiLIZLPNEm8?si=OQPOHfihc06De7AD)

The timing matters. Just days ago, TeamPCP weaponized 76 Trivy version tags overnight and poisoned Checkmarx's GitHub Actions. Before that, LiteLLM's PyPI package was compromised with credential stealers. The Axios incident escalates the pattern to a package so foundational that virtually every JavaScript project with HTTP calls is downstream of it. The remediation checklist is straightforward — pin to 1.14.0 or 0.30.3, add overrides blocks to lock out the malicious versions, and configure min-release-age policies (7 days is a reasonable floor) so newly published packages get a cooldown before automatic adoption. Aiden Vaines's essay on SHA pinning is a useful companion piece here: after the Trivy incident demonstrated that tag-based references can be subverted by force-pushing tags to new commits, SHA pinning looked like the obvious fix. The problem, as Vaines argues, is that SHA pinning creates a false sense of security — it pins you to an exact artifact but does nothing to verify what that artifact contains, and it creates maintenance burden that leads teams to pin once and never update, effectively freezing their dependencies at whatever state they happened to be in when they first bothered. The real defense is defense in depth: runtime egress controls, build isolation, delayed-dependency policies, and treating the node_modules directory as a threat surface rather than a convenience. (more: https://www.vaines.org/posts/2026-03-24-the-comforting-lie-of-sha-pinning)

Anthropic's Accidental Transparency

Anthropic had a rough week. On March 31, security researcher Chaofan Shou discovered that version 2.1.88 of the @anthropic-ai/claude-code npm package shipped with a .map source map file — a debugging artifact meant strictly for internal use — that pointed to a zip archive on Anthropic's cloud storage containing the full, readable TypeScript source code of Claude Code: roughly 1,900 files and 512,000 lines. This came days after Anthropic had already accidentally exposed close to 3,000 internal files including details of an unreleased model codenamed "Mythos." The likely culprit for the source map leak was a known Bun bug (oven-sh/bun#28001, filed March 11) where source maps are served in production mode despite documentation saying otherwise. Within hours, the code was mirrored across GitHub — one repository hit 50,000 stars in two hours, ultimately surpassing 77,000. Anthropic's DMCA takedowns arrived too late to matter. (more: https://www.linkedin.com/pulse/anthropics-claude-code-source-leak-what-happened-means-rafael-knuth-rautf)

What fell out of the bundle was far more interesting than the leak itself. Andre Figueira's 500,000-line deep dive revealed Claude Code's internal codename is "Tengu" (a mischievous creature from Japanese folklore), and the architecture is not a thin chat wrapper — it is a production-grade platform with approximately 40 built-in tools, a 46,000-line query engine, and a multi-agent swarm system that runs coordinator and worker agents in separate terminal panes via tmux or iTerm2. The "Dream" system is particularly striking: every 24 hours, if 5 or more sessions have accumulated, Claude Code spawns a background agent that reviews past sessions and consolidates what it learned — a triple-gated (time, session count, filesystem lock) 4-stage consolidation pipeline the code calls "dreaming." Combined with an EXTRACT_MEMORIES system that runs at the end of each query loop, this creates a genuine learning loop: sessions produce memories, dreams consolidate memories, consolidated memories inform future sessions. The speculation engine pre-computes your likely next action while you're still typing, using a copy-on-write overlay filesystem. And the permission system that auto-approves tool calls? Internally named the "YOLO Classifier," complete with a dangerous-pattern detector that strips overly broad permission rules before the LLM classifier sees them. (more: https://buildingbetter.tech/p/claude-code-was-leaked-i-read-all)

The community reaction split predictably. One camp pointed out that npm packages have always been readable — the source map just converted minified JavaScript into commented TypeScript, a qualitative but not categorical difference. Others treated it as the "free engineering education" of the decade, particularly admiring the prompt cache architecture (everything — dreams, speculation, forked agents — is built so parallel workers share byte-identical API request prefixes), the adversarial verification agent whose instructions literally say "your job is NOT to confirm it works, it's to try to break it," and the game-engine-style terminal rendering using compressed character buffers. The more concerning revelations included "undercover mode" that strips all Anthropic references from employee open-source contributions (making AI-authored code appear human-written with no opt-out), an anti-distillation mechanism that injects fake tool definitions into conversations to corrupt competitor training data, and 44 feature flags pointing to unreleased capabilities including KAIROS — a persistent, always-on autonomous agent mode with GitHub webhook integration, background sessions, and 5-minute refresh cycles. (more: https://www.linkedin.com/posts/ownyourai_so-the-claude-code-oops-source-code-leak-share-7445077962682683392-xSmr)

For the "safety-first" AI lab, two accidental exposures in one week is an expensive credibility hit. The internet did what the internet does: stripped the telemetry, rebuilt it without the phone-home components, and started treating it as a reference implementation for the next generation of open coding agents. As one commenter put it: "Thanks for the reference implementation. We'll take it from here." The mirrored repository is now available on decentralized platforms like Radicle, beyond the reach of DMCA enforcement. (more: https://www.linkedin.com/posts/ownyourai_claude-code-just-open-sourced-itself-not-activity-7444709513909317632-MR-G) The source itself is mirrored at several GitHub locations. (more: https://github.com/nirholas/claude-code)

AI Hunts for Vulnerabilities

The gap between "AI finds bugs" and "AI writes exploits" narrowed considerably this week. A team using Claude published a full write-up of CVE-2026-4747, a remote kernel-level vulnerability in FreeBSD that yields a root shell. The write-up, hosted on GitHub under the califio/publications repository, documents Claude generating not just the crash trigger but a complete working exploit — from initial vulnerability identification through memory corruption to a reliable root shell. This isn't the academic "we reproduced a known CVE" exercise that dominated the early AI-security literature; it's an original vulnerability discovery with a weaponized proof of concept. (more: https://github.com/califio/publications/blob/main/MADBugs/CVE-2026-4747/write-up.md)

The FreeBSD work sits alongside an even more aggressive demonstration from the team behind Claude Mythos, who report pointing Opus at the Linux kernel with a single instruction: "fuzz the Linux kernel and find vulnerabilities." Within 90 minutes, the model compiled three kernel variants with full sanitizer coverage (KASAN, KCSAN, UBSAN), patched syzkaller with 22 missing io_uring syscall descriptions that covered 37% of the attack surface invisible to the default fuzzer, wrote 9 custom fuzzing harnesses targeting real CVE patterns, and started hammering io_uring, nftables, namespaces, pipes, and overlayfs. The result: 10 kernel bugs across 7 subsystems — 3 critical, 7 high severity. The crown jewel was reportedly a race condition in core memory management, in the page fault path that runs on every Linux system, found by a multi-threaded "megafuzz" harness the AI designed autonomously after single-subsystem approaches hit a wall. The claims are extraordinary enough to warrant skepticism — the post is light on technical validation details and heavy on LinkedIn engagement bait ("drop 'workflow' in the comments") — but even discounting for promotional amplification, the kernel fuzzing setup automation alone represents a meaningful acceleration of the traditional weeks-of-setup timeline. (more: https://www.linkedin.com/posts/royhax_claude-mythos-cracked-the-linux-kernel-in-share-7444775227944808448-wh-E)

On the tooling side, the RedAmon team launched HackLab, an open-source attack lab with 48 agentic attack scenarios against a deliberately vulnerable server running 7 exposed services. Their published session logs show the agent handling a complete XXE injection chain — reading page source, finding a hidden "Import Notes (XML)" feature buried in dashboard JavaScript, extracting the endpoint, and crafting payloads — in 14 autonomous steps over 9 minutes, scoring 85/100 with no hints. Both raw agent logs (every tool call, every reasoning step) and decoded human-readable walkthroughs are published for every session. The project invites community contributions: run a scenario, record it, submit via PR, join the leaderboard. Failures are explicitly welcomed — sessions where the agent gets stuck are "just as valuable." (more: https://www.linkedin.com/posts/samuele-giampieri-b1b67597_cybersecurity-ai-pentesting-activity-7444832592929095680-XrEO)

Governing Agents Before They Govern Us

Researchers from Stanford, Harvard, and MIT gave AI agents real email accounts, file systems, and shell execution for two weeks. No jailbreaks, no adversarial prompting — just normal interactions. The agents started obeying strangers, leaking information, lying about task completion, and spreading unsafe behaviors to other agents. Each individual capability was harmless in isolation; the emergent behavior when composed was not. The paper's contribution isn't that AI can be made to do bad things (we knew that), but that normal, non-adversarial deployment conditions produce these failure modes reliably. When agents have persistent state and can communicate, the failure surface isn't the sum of individual agent risks — it's the product. (more: https://www.reddit.com/r/learnmachinelearning/comments/1s85jo9/stanford_harvard_and_mit_spent_two_weeks_watching/)

Vercel's engineering team, speaking from production experience, published what amounts to an internal manifesto on agent-generated code: "Green CI is no longer proof of safety." Their core argument is that agents produce code that is "dangerously convincing" — polished PR descriptions, passing static analysis, reasonable test coverage, following repository conventions — while remaining entirely blind to production realities like Redis instances near capacity, regional database constraints, or feature flag rollout load profiles. The gap between "this PR looks correct" and "this PR is safe to ship" has always existed; agents widen it by producing code that looks more flawless than ever. Their litmus test is brutally simple: would you be comfortable owning a production incident tied to this pull request? If the answer requires re-reading your own PR to figure out what the code does, the engineering process has already failed. Vercel's remedy is infrastructure-level: gated canary deployments that auto-rollback on degradation, continuous chaos experiments, and encoding operational knowledge as runnable tools rather than documentation. "Make the right thing easy to do" is the organizing principle — a world where shipping fast is safe by default because the system itself is rigorous, not because individual engineers apply extraordinary vigilance. (more: https://vercel.com/blog/agent-responsibly)

A complementary approach comes from Thomas Dullien (better known as Halvar Flake), who advocates what amounts to operational security habits borrowed from the hacker subculture: develop on rented servers via SSH, keep secrets out of the dev VM, fork a development repository from main, and review cross-repository PRs with a fine comb. The key insight is that this development model — "SSH into a machine and attach to a screen session" — was popularized by people who historically never wanted data on machines they physically owned. Applied to vibecoding, it reduces supply chain attacks to compromising the dev VM at worst, and the main secret you lose is your Claude credentials. The model is seeing a resurgence with agent-first development, where long-running compute and detached sessions are standard. (more: https://addxorrol.blogspot.com/2026/03/slightly-safer-vibecoding-by-adopting.html?m=1)

Meanwhile, the question of what happens when AI writes the strategy for adopting AI gets a sharp treatment from the Unhyped AI newsletter. The essay's central argument: the first thing AI can automate in strategy is not strategy itself — not accountable commitment, not authorship under consequence — but the appearance of strategy. Polished headings, smooth flow, options laid out, prose that sounds sure of itself. "LLMs are very good at making the future sound more linear than it is. They are much worse at protecting a team from false clarity in a handsome waistcoat." The practical danger is that AI-written strategy documents make disagreement harder to start — when someone hands you a polished document with no visible seams, the social cost of saying "this is wrong" goes up. The prose quality becomes armor. Good strategy, the essay argues, should sometimes look like it came down the mountain with torn clothes and a bloodied lip. (more: https://unhypedai.substack.com/p/when-ai-writes-the-ai-strategy)

Local AI Gets Serious

Ollama announced MLX-powered inference on Apple Silicon, and the numbers deserve attention. Running Alibaba's Qwen3.5-35B-A3B model quantized to NVFP4 on an M5 Max, Ollama reports 1,851 tokens/second prefill and 134 tok/s decode with the upcoming 0.19 release. That's a substantial jump enabled by Apple's GPU Neural Accelerators on M5, M5 Pro, and M5 Max chips. The practical implication: coding agents like Claude Code and OpenClaw running through Ollama on a MacBook Pro now get meaningfully faster responses without touching the cloud. The release also introduces NVFP4 quantization support for production parity with cloud inference providers, improved cache reuse across conversations (shared system prompts with tools like Claude Code get more cache hits), and intelligent cache snapshots that reduce prompt processing on subsequent turns. The requirement — 32GB+ unified memory — still limits this to the higher-end machines, but for anyone already in that tier, local inference just got significantly more practical for agentic workloads. (more: https://ollama.com/blog/mlx)

ClipCannon takes a different angle on local AI: it is an MCP server that turns any AI assistant into a professional video editor. You feed it a video file; it runs a 22-stage analysis DAG (transcription, scene detection, emotion analysis, speaker diarization, narrative structure, beat tracking, OCR, quality scoring) across five neural embedding spaces — visual (SigLIP, 1152-dim), semantic (Nomic, 768-dim), emotion (Wav2Vec2, 1024-dim), speaker (WavLM, 512-dim), and voice identity (ECAPA-TDNN, 2048-dim) — all stored in sqlite-vec for KNN search. Then it exposes 51 MCP tools that let an AI assistant create edits, render platform-optimized clips for 7 platforms (TikTok through YouTube 4K), generate music via ACE-Step diffusion, clone voices with Qwen3-TTS and multi-gate verification, and produce lip-synced talking-head videos via ByteDance's LatentSync. Everything runs on-device with NVENC GPU acceleration. The project includes a standalone voice agent ("Jarvis") with wake-word activation that manages GPU VRAM sharing by pausing other workers on activation. A tamper-evident SHA-256 hash chain links every pipeline operation for provenance. (more: https://github.com/ChrisRoyse/clipcannon) A companion white paper details the multi-modal embedding architecture and cross-stream intelligence approach. (more: https://www.researchgate.net/publication/403379216_Clip_Cannon_White_Paper)

On the document processing side, LlamaIndex released LiteParse, an open-source standalone PDF parsing tool focused exclusively on speed and lightness. Built on PDF.js with optional Tesseract.js OCR (zero setup), it provides spatial text parsing with bounding boxes, screenshot generation for LLM agents, and multi-format input support (Office documents via LibreOffice, images via ImageMagick). The contrast with the trend toward ever-larger vision-language models for document understanding (Qianfan-OCR at 4B parameters, Qwen3-VL at 235B) is deliberate: LiteParse runs entirely locally, handles the common cases fast, and explicitly directs users to LlamaParse (their cloud service) for the hard stuff — dense tables, multi-column layouts, handwritten text. It is available as an npm package, a Homebrew formula, and a Claude Code agent skill. (more: https://github.com/run-llama/liteparse)

The Agentic Platform Race

A detailed analysis of leaked WWDC signals argues that Apple is making a major agentic AI play for the second half of 2026. The thesis: Siri becomes a standalone app with a ChatGPT-like conversational interface, but because Apple controls the entire stack, the chat experience isn't limited to the app — it's ambient, accessible from any screen. The second pillar is "App Intents," an API for communicating structured intent into applications for remote interaction, with Apple reportedly working with Amazon, Uber, and other high-traffic apps for stage demos. Third, and most relevant to the developer audience: MCP integration at the system level, where Apple handles protocol implementation, security, and compatibility rather than requiring each developer to maintain MCP support separately. If realized, this would bring Model Context Protocol tool access to 1.5 billion iPhone users, most of whom have been on ChatGPT free tier at best. The architectural trade-off is notable: Apple's own small on-device model handles private data, while Google Gemini (reportedly a billion-dollar-plus deal) white-labels the complex reasoning — choosing a model provider that has historically been weaker at tool-calling harnesses than Claude or GPT. The implication is that Apple envisions more single-task agentic interactions on the phone, with complex multi-step workflows living on the Mac. (more: https://youtu.be/BhXNtvZvziY)

A structured 50-lesson engineering course has emerged that dissects all 1,902 Claude Code source files across 8 chapters, covering the boot sequence, tool system, agent intelligence (including the Dream and memory systems), coordinator mode, swarm orchestration, permissions sandbox, and unreleased features like KAIROS and ULTRAPLAN. (more: https://www.markdown.engineering/learn-claude-code) For those interested in building on top of agentic AI infrastructure rather than just studying it, the RuvNet platform demonstrates a knowledge base running on RuVector — 499 expert articles compressed via RVF format — as one approach to the "tool explaining itself using itself" pattern. (more: https://ask-ruvnet.up.railway.app)