Et Tu, Agent? Did You Install the Backdoor?

· ai coding security · Source ↗

TLDR

  • Axios (100M+ weekly npm downloads) was backdoored via a hijacked maintainer account; a self-deleting RAT phoned home within 89 seconds of install.

Key Takeaways

  • The attacker added one new dependency (plain-crypto-js) to Axios’s package manifest; it downloaded a remote access trojan, executed it, then deleted itself before inspection.
  • A separate campaign (TeamPCP) stole one CI/CD token from Trivy, then cascaded across npm, PyPI, Docker Hub, and the VS Code marketplace in eight days via a self-propagating worm across 66+ packages.
  • AI coding agents select known-vulnerable dependency versions 50% more often than humans; nearly 20% of AI-recommended packages are fabricated names, 43% of which appear consistently across queries (“slopsquatting”).
  • Socket (a16z portfolio) detected the malicious Axios dependency within 6 minutes by analyzing package behavior rather than CVE databases; industry average breach detection is 267 days.
  • Traditional npm audit returned clean results on the compromised Axios version because the malware self-destructed; CVE-based scanners are structurally blind to novel malicious packages.

Why It Matters

  • Autonomous coding agents install dependencies and ship updates at machine speed with no human review, compressing the security window to near zero.
  • The median JavaScript project has 755 transitive dependencies chosen by nobody on the team; one compromised node infects every npm install during the exposure window.
  • Behavioral package analysis (what code actually does: network calls, shell spawns, postinstall scripts) is now the only detection layer that catches novel backdoors before CVEs exist.

Joel de la Garza, Malika Aubakirova, Zane Lackey — Andreessen Horowitz · 2026-04-02 · Read the original

Related coverage