the WORST hack of 2026

This just became the most dangerous command that anyone can run. npm install anything. Fill in the blank n open claw doesn't matter. We're still uncovering just how bad the fallout on this is. Anyone could be infected. You could be infected. And this just happened. Axios, the most popular HTTP library, over 100 million downloads a week, was hijacked. A hacker took over the lead maintainer's account, injected malicious code without actually injecting malicious code, and it deploys a remote access Trojan in under 1.1 seconds, and the malware erases itself. No trace left behind. This just might be the most sophisticated and dangerous supply chain attack in history. Get your copy ready. Let's dig into how this happened today, like just a few hours ago. So, how exactly did this happen? Here's what we know so far. I'm going to walk you through the entire attack from how they got in to how the malware erased itself and how it was discovered because, you know, we're kind of talking about this right now. Now, first, you probably have Axios installed, the thing that got hacked. I'll show you how to check to see if you're on the bad version here in a moment. It's an HTTP library and it's essentially how code talks to the internet, but you'll rarely install it directly. Like, I've never installed Axios, but I do have it installed. How? NPM install. npm is the package manager for JavaScript. Essentially, the app store for code. Devs use it a ton, and so do you. If you've installed something like nan or openclaw, but you're not just installing openclaw when you do that. You're installing a bunch of dependencies or other code written by other people that the app you're installing depends on to work. You're trusting OpenClaw, but OpenClaw is trusting Axios. This is how most software works. And as it stands, the average MPM project trusts 200 to 2100 strangers with code execution. And I want to hit home the strangest part because this is where we got in trouble with Axios. Axio, something that 174,000 projects depend on is coded by a bunch of random people. I mean, here's the change log right here. Looking at the commits, random people. Pay attention to this guy. And these are unpaid people. This is open source. And one of those people got compromised. This guy, I feel so bad for this guy today. Jason Semen, probably not his real name. Maybe it is. He's a lead maintainer for Axios. and the attacker got his access token, a long lived MPM classic access token that gave the attacker the keys to the kingdom. Now, we don't know how this happened just yet. We just know that it did. And this is when things get bad. He changed his account email to this email address, if stoppro.mme. And the attacker was really clever because he never actually added any malicious code to Axios. Instead, he added one line to the package.json file. Here it is. Clean. Don't blink. This is what he changed. Plain crypto.js. Notice dependencies. They keep getting us in trouble. Now, this is a simple dependency. Nothing kind of crazy about it. No one would really notice this. In fact, an average code reviewer would just go, "Oh, that's a simple crypto thing." And the sucker was never imported to any of Axios's 86 source files. It exists only to install its postinstall script. But the attacker was smart. They actually staged a clean version of this file 18 hours before the malicious one. and they were able to bypass the typical CI/CD pipelines by using npm CLI, essentially skipping all the guardrails that would normally catch something like this. Now, socket.dev was the first person or the first company to find this. And they have a really fun diagram I want to show you. Oh, and also they changed two release branches, the 1.x and 0.x, specifically the 1.14.1 and the 030.4. And they were poisoned within 39 minutes of each other. So any project using a carrot range of these two releases would pull the compromised version on the next npm install, which often happens automatically with CI/CD pipelines or when you're just installing Open Clock cuz some YouTuber told you to do it during that time frame. I'm sorry. So when you do mpm install, this post install script runs automatically by itself. You don't have to do anything. And it triggers what's called a dropper. This dropper drops in setup.js. Now it looks harmless. Looks like math, but here we have two layers of obfiscation which hides all the dangerous stuff from static scanners. It's using XR and B 64 and this weird order 7077 phrase. Does anyone know what that means? So now that setup.js has deoffiscated all the dangerous stuff or revealed it, it can use it. It will then detect the operating system that it's currently running on, which operating system you have. It will then contact the C2 server, the command and control server which the attacker operates and downloads the specific RAT or remote access Trojan software onto that computer. And this is what it would look like on Mac, Windows, and Linux. This happens 1.1 seconds after mpm install. And then it cleans up. It deletes setup.js, deletes the malicious package.json, and renames the pre-staged package.md to package.json, which is a clean version. At this point, the attacker has access to your system. They can access your stuff in 1.1 seconds. And you didn't even know. And you weren't doing anything weird or wrong. You were just installing or using software from people that you trust. It's not your fault. It's a supply chain attack. It's kind of like this. If someone wanted to poison me, they could just put poison in this cup of coffee. But that'd be hard cuz I'm always watching my coffee. But they could instead go to the coffee roaster and poison the beans I buy. Actually, I need some more coffee right now. Or maybe they go higher up the chain. Maybe they poison the powder on these coffee bags, the same bags that are used by all the suppliers. That would expand their reach, poisoning a lot more people. I know this analogy is kind of dark. Or they can go bigger. What if they poisoned the water supply? Going after the water I use to brew my coffee. And now they've expanded their use beyond coffee drinkers. It's everyone who uses the water and that's kind of the scope we're dealing with right now with the Axio supply chain attack. So let's find out if you drink the water. Because here's the thing. You might have Axios installed, but you may not even know. I know I have it installed. I think I'm safe. Let's check together right now because again, this stuff just happened. I'm kind of discovering it with you. All right. Thank you, Pikachu. You can leave now. Okay, bye. Okay, let's check. Let's open up your terminal first. Type in this mpm list-gios. Check your versions. If you see 1.14.1 or 0.30.4, you may want to do a deeper search across your entire system. We can use this little multi multi-line command here. And I'll have all these commands below for all the systems. And it's finding things I've custom built myself. I didn't even know had Axios in them. It's everywhere, man. Now, let's check if the rat actually made it onto your system. I'm going to use this command to see if it's on my Mac. Not there. I'll have commands for Windows and Linux below. And you can also check if it's going to reach out to the command and control server. This is the IP that was found. It was taken down or it's not up anymore. If none of that showed anything, you're probably good for now. Just keep an eye out. But if you found anything, stop right now. Don't just delete files. Treat your machine as a compromised machine. Rotate your API keys, every credential, every token. I'll have a full remediation checklist below. Keep an eye out. Keep your ear to the ground. And it seems like this is happening more and more often now. Um, h AI is amazing and it's been helping us build stuff, but it's also helping the hackers do things. This is happening way more often than it should. So, pay attention. Be secure. Um, also go watch John Hammond's live stream where he actually woke up and went through all this and went through all the code. It was very fun to watch. I'm sure he'll be dropping a video on this soon as well. And thank you to all you warriors out there, all you amazing people who are remediating all this stuff. This is a massive thing, a massive supply chain attack. So, get that coffee brewing. If you're affected by this, I'd love to hear in the comments below how it's going. How how bad is it? Maybe offer some help or advice for people who may be going through this. That's all I got. I'll catch you guys next time. Hey, you made it to the end of the video. And at the end of my videos, I like to pray for you, my audience. I know it's kind of weird. Go with it. Life is weird. One, two, three. Pray. God, I thank you for the person on the other side of this camera, on the other side of this screen. I ask in your name that you bless them and their lives right now that um if they are affected by this hack that you would give them the passion and the strength and the ability and the diligence and the energy to just tackle this with skill that you would bless their their own personal computing environment, their company's environment, and just I ask that you would make them a rock star in this moment. uh equip them with everything they need. Um if they're not affected, if they're just watching this to learn this, I pray that you would turn them into an amazing cyber security person that you would teach them skills and give them the ability to learn these skills and absorb them to learn about supply chain attacks to learn how to defend against them. Just bless their lives. God, I pray for my audience right now that you would just give them so much favor in their lives and their families. I pray for success over their career and if there's any anxiety over anything in tech that's happening because everything's moving very fast. Remove that anxiety. Just let it melt off of them and let them take one day at a time, learn that next thing and just stay relentlessly optimistic. I ask this in your name, Jesus. Amen. All right, that's all I got. Actually, I'm going to have um going to have Pikachu try to explain supply chain attacks to you real quick. She begged me to let her do this. Hi, I'm Mad Keith and today I'll be I'll be supplying supply chain attacks. The coffee the the analogy I gave. Oh, okay. So, let's do this. The coffee explanation. So let's say if this really bad guy wants to poison you and you have your cup of coffee, he puts this nice cup of warm hot coffee and he gets poison and he puts in the coffee and you drink it. Okay. But and then the next explanation is if you have a coffee bag with beans in it, coffee beans, and the guy with the poison puts it with the coffee coffee beans. Now you have poison coffee beans. But the really bad one is if the guy where like like there's all these coffee bean bags and they're all together and the guy puts poison in one of the coffee bean bags. All of the coffee bean bags then all of the other coffee bean bags get exposed expo exposed. So that's my that's the explanation. So basically I think what's it called again? Supply chain attack. Supply chain attack is where there's a source and it goes in your computer and it like I think it's like a virus, right? Yeah, it's like a virus and pretend the poison in my analogy is a virus and the coffee in the coffee bean and the coffee bean bags are your computers. So yeah, that's it.