30-second setup to avoid being hit by supply chain attacks like the axios one

old.reddit.com · bundie · 4 days ago · view on HN · research
quality 7/10 · good
0 net
Tags
exploit google node supply-chain
30-second setup to avoid being impacted by supply chain attacks like the axios compromise : node jump to content my subreddits edit subscriptions popular - all - users | AskReddit - pics - funny - movies - worldnews - news - todayilearned - nottheonion - explainlikeimfive - mildlyinteresting - DIY - videos - OldSchoolCool - europe - TwoXChromosomes - tifu - Music - books - LifeProTips - dataisbeautiful - aww - science - space - Showerthoughts - askscience - Jokes - Art - IAmA - Futurology - sports - UpliftingNews - food - nosleep - creepy - history - gifs - InternetIsBeautiful - GetMotivated - gadgets - announcements - de_IAmA - WritingPrompts - philosophy - Documentaries - Austria - EarthPorn - photoshopbattles - listentothis - blog more » reddit.com node comments other discussions (1) Want to join? Log in or sign up in seconds. limit my search to r/node use the following search parameters to narrow your results: subreddit: subreddit find submissions in "subreddit" author: username find submissions by "username" site: example.com find submissions from "example.com" url: text search for "text" in url selftext: text search for "text" in self post contents self:yes (or self:no) include (or exclude) self posts nsfw:yes (or nsfw:no) include (or exclude) results marked as NSFW e.g. subreddit:aww site:imgur.com dog see the search faq for details. advanced search: by author, subreddit... this post was submitted on 31 Mar 2026 122 points (98% upvoted) shortlink: Submit a new link Submit a new text post node join leave Homepage Docs Blog GitHub Repo Get Involved With Node.js a community for 16 years MODERATORS message the mods · 2 comments I built a drop-in npm install replacement that sandboxes every postinstall script 4 · 1 comment OpenTelemetry collector for metrics and logs 0 · 19 comments How do you handle out-of-sync .env files in monorepos? 0 · 5 comments Are users getting lost in your app's complexity? 122 · 14 comments 30-second setup to avoid being impacted by supply chain attacks like the axios compromise 0 · 2 comments axios got backdoored on 31st, if you ran npm install in the last couple hours, read this. 6 · 6 comments Rate limiting per endpoint when everything goes through /api? 3 Timing Attacks Explained — and How AdonisJS Protects You 2 A visual guide to how npm workspaces cheats with the Node algorithm 0 I built a zero-dependency CLI that catches source leaks and supply chain attacks across 7 languages Welcome to Reddit, the front page of the internet. Become a Redditor and join one of thousands of communities. × 121 122 123 30-second setup to avoid being impacted by supply chain attacks like the axios compromise ( self.node ) submitted 2 days ago by Fun_Can_6448 The axios attack (hijacked maintainer → malicious versions 1.14.1 & 0.30.4 → RAT payload) was live for ~2-3 hours before npm pulled it. Most supply chain attacks follow this same pattern — they rely on people installing before anyone notices. All major package managers now let you delay installing freshly published versions. One config line, set it globally, and you're covered: npm .npmrc min-release-age=7 pnpm pnpm-workspace.yaml minimumReleaseAge: 10080 bun bunfig.toml minimumReleaseAge = 10080 Not a silver bullet, but for the "publish and pray" type of attack - which is most of them - this is the easiest win you'll ever get. 14 comments share save hide report all 14 comments sorted by: best top new controversial old random q&a live (beta) Want to add to the discussion? Post a comment! Create an account [–] TokenRingAI 28 points 29 points 30 points 1 day ago (0 children) Good advice, we implemented this last week and it prevented the axios compromise. Also, you may want to mention the ignore-scripts=true flag globally and for .npmrc permalink embed save report reply [–] screwcork313 26 points 27 points 28 points 1 day ago (3 children) You fail to mention that min-release-age requires npm v11.10.0, which only came out a month ago. To ensure this check is applied, you could enforce the minimum versions of node and npm by declaring them in package.engines, and add engine-strict in your .npmrc. And it still might not catch the zero-day in your transitive deps, although I'm not sure if that's a greater or lesser risk than the direct deps... permalink embed save report reply [–] bob51zhang 6 points 7 points 8 points 1 day ago (2 children) How would it not catch a transitive? If your direct minimum release age is 1 week, then it follows that all packages it pulls in must have been released >= 1 week ago. permalink embed save parent report reply [–] rusmo 1 point 2 points 3 points 1 day ago (0 children) lol - lazy loading @latest. What could go wrong? permalink embed save parent report reply [–] breakslow 0 points 1 point 2 points 1 day ago (0 children) I don't think anyone is stopping you from publishing a package that depends on a package that doesn't exist. Get access to another package, put the "future" version in. But even then it would be broken during that week which means something would probably get figured out by the time the offending package is released. permalink embed save parent report reply [–] germanheller 2 points 3 points 4 points 1 day ago (0 children) the 7 day delay is a solid default. we got lucky with axios because it was caught in hours but most supply chain attacks sit undetected for weeks. combine this with lockfile-only installs in CI (npm ci instead of npm install) and you cover like 90% of the attack surface without any extra tooling permalink embed save report reply [–] chuckySTAR 2 points 3 points 4 points 1 day ago (0 children) https://bun.com/docs/runtime/bunfig#install-minimumreleaseage Configure a minimum age (in seconds) npm are days, pnpm minutes, bun seconds. Therefore 604800 for bun. permalink embed save report reply [–] keepinitcool 3 points 4 points 5 points 1 day ago (1 child) !remindme 10 hours permalink embed save report reply [–] RemindMeBot -1 points 0 points 1 point 1 day ago * (0 children) I will be messaging you in 10 hours on 2026-04-01 06:50:56 UTC to remind you of this link 2 OTHERS CLICKED THIS LINK to send a PM to also be reminded and to reduce spam. Parent commenter can delete this message to hide from others. Info Custom Your Reminders Feedback permalink embed save parent report reply [–] edmillss 1 point 2 points 3 points 17 hours ago (0 children) this is solid. supply chain stuff is only going to get worse with ai agents now installing packages autonomously. been using indiestack which tracks maintenance status on 3000+ dev tools -- flags stuff as dead, dormant, stale etc. not a security scanner like snyk but catches the "package hasnt been touched in 2 years" problem which is usually the precursor to a takeover. free mcp server so your ai agent checks it automatically before recommending packages permalink embed save report reply [–] Few_Theme_5486 0 points 1 point 2 points 16 hours ago (0 children) Really useful tip! The axios incident was a wake-up call for a lot of teams. Setting min-release-age is such a low-effort, high-reward defense. I'd also add that combining this with automated dependency audits in CI goes a long way — even catching things before they reach local dev environments. permalink embed save report reply [–] Few_Theme_5486 0 points 1 point 2 points 14 hours ago (0 children) Didn't know about this config option until now — genuinely surprised it's not more widely discussed given how most supply chain attacks exploit the brief window before maintainers or the registry catch the malicious version. One thing I'd add: pairing this with npm audit in CI means you're catching both new CVEs and keeping a delay buffer for fresh publishes. What's the tradeoff you've found with the 7-day delay for fast-moving projects where you need latest patches quickly? permalink embed save report reply [+] dani_akash_ comment score below threshold -10 points -9 points -8 points 1 day ago (0 children) Wrote a detailed blog post on this: https://daniakash.com/posts/simplest-supply-chain-defense/ permalink embed save report reply about blog about advertising careers help site rules Reddit help center reddiquette mod guidelines contact us apps & tools Reddit for iPhone Reddit for Android mobile website <3 reddit premium Use of this site constitutes acceptance of our User Agreement and Privacy Policy . © 2026 reddit inc. All rights reserved. REDDIT and the ALIEN Logo are registered trademarks of reddit inc. π Rendered by PID 292430 on reddit-service-r2-loggedout-786cbfc564-wkdl6 at 2026-04-02 15:55:10.662914+00:00 running b10466c country code: AT.
← Back to stories