Tuesday, March 31
Tuesday, March 31
Axios Got Popped and Your CI Pipeline Probably Pulled It Before Anyone Noticed
Two malicious versions of axios hit npm yesterday using a compromised maintainer's credentials. The injected payload is a cross-platform RAT dropper that phones home, delivers its package, then erases itself and swaps in a clean decoy. Axios lives in roughly 80% of cloud environments and gets downloaded about 100 million times a week. Socket flagged it in six minutes. npm pulled the packages by early Tuesday morning UTC. But 3% of affected environments had already run the payload. This is the third major package ecosystem compromise in seven days, and the targets keep getting bigger.
Axios Got Popped and Your CI Pipeline Probably Pulled It Before Anyone Noticed
Two malicious versions of axios hit npm yesterday using a compromised maintainer's credentials. The injected payload is a cross-platform RAT dropper that phones home, delivers its package, then erases itself and swaps in a clean decoy. Axios lives in roughly 80% of cloud environments and gets downloaded about 100 million times a week. Socket flagged it in six minutes. npm pulled the packages by early Tuesday morning UTC. But 3% of affected environments had already run the payload. This is the third major package ecosystem compromise in seven days, and the targets keep getting bigger.
AI Buzz and Builds This Tuesday
The npm registry handles about 30 billion downloads a month. That's roughly one download for every four humans on Earth, every single month. It's the quiet plumbing under almost every web product you touch, and it rarely makes headlines unless something goes sideways.
- Anthropic's Claude Code CLI ships as an npm package. So does axios, the HTTP library sitting in roughly 80% of cloud environments. Both made news today for very different packaging mishaps.
- Bluesky just crossed 43 million users and locked in $100M in fresh funding. The platform was built on the AT Protocol, designed specifically to let users control their own algorithmic experience.
- Apple's MLX framework has been quietly maturing since late 2023, optimized for the unified memory architecture in M-series chips. It's finally getting the integrations the local AI crowd has been waiting for.
Anyway. It's a Tuesday, and things are happening.
The npm registry handles about 30 billion downloads a month. That's roughly one download for every four humans on Earth, every single month. It's the quiet plumbing under almost every web product you touch, and it rarely makes headlines unless something goes sideways.
- Anthropic's Claude Code CLI ships as an npm package. So does axios, the HTTP library sitting in roughly 80% of cloud environments. Both made news today for very different packaging mishaps.
- Bluesky just crossed 43 million users and locked in $100M in fresh funding. The platform was built on the AT Protocol, designed specifically to let users control their own algorithmic experience.
- Apple's MLX framework has been quietly maturing since late 2023, optimized for the unified memory architecture in M-series chips. It's finally getting the integrations the local AI crowd has been waiting for.
Anyway. It's a Tuesday, and things are happening.
Security, Privacy, and Power Plays Today
GitGuardian's 2026 report just landed: 29 million new hardcoded secrets in public GitHub commits during 2025. A 34% year-over-year jump, the largest ever recorded. AI-generated code is reshaping where credentials leak, and remediation still isn't keeping pace.
Innovation Council Action is gearing up to spend over $100 million backing candidates aligned with a deregulatory AI agenda in the 2026 midterms. The group has David Sacks' blessing and is explicitly advancing the administration's AI priorities. Lobbying season is wide open.
A blog post alleging U.S. government-adjacent apps contain Huawei-linked tracking code and an ICE tip line sparked heated developer community debate yesterday. The claims are still being picked apart, but the conversation is loud and getting louder.
Agibot rolled out its 10,000th mass-produced humanoid unit yesterday. China's robotics sector is scaling at a pace that's shifting humanoids from lab curiosity to production category. The number that matters here isn't the robot count. It's the manufacturing velocity.
Match's OkCupid got hit with a 20-year privacy enforcement action after sharing users' private photos with an AI firm. Two decades of oversight for one data-sharing decision. The cost of treating user photos as training data just got very concrete.
Millions of UK iPhone users found themselves stuck in a "child by default" mode thanks to an age verification rollout gone wrong. What was meant to protect minors ended up restricting adults. A cautionary tale in blunt-instrument compliance.
Favorite Featured Stories
A single agent step running at 95% reliability sounds fine. Chain twenty steps and you're below 36%. That gap has to be ...
The average enterprise now runs 37 AI agents. Most were never reviewed by a security team. More than half operate withou...
Between 2009 and today, billions of people clicked through grid squares identifying crosswalks, storefronts, and traffic...
Over 30,000 exposed instances cataloged. Hundreds of malicious skills traced to a single threat actor. CVEs scored and p...
A single agent step running at 95% reliability sounds fine. Chain twenty steps and you're below 36%. That gap has to be ...
The average enterprise now runs 37 AI agents. Most were never reviewed by a security team. More than half operate withou...
Between 2009 and today, billions of people clicked through grid squares identifying crosswalks, storefronts, and traffic...
Over 30,000 exposed instances cataloged. Hundreds of malicious skills traced to a single threat actor. CVEs scored and p...