Yesterday a hacker compromised the account of the lead developer of axios> — the npm package with around 100 million weekly downloads — and published two malicious versions that included a remote access Trojan targeting macOS, Windows and Linux.

The malicious code was pulled from a staged dependency called "plain-crypto-js" and was designed to self-destruct after execution. It was only live for about three hours, but that was enough: security firm Huntress reported the first infection on a monitored endpoint just 89 seconds after the compromised version was published.

According to StepSecurity, the malicious dependency was staged 18 hours in advance, three payloads were pre-built for three operating systems, and both release branches were poisoned within 39 minutes of each other. Google's security team has linked the attack to a North Korean group that targets cryptocurrency theft.

This got me thinking: do we actually still need axios? The original reason it became so popular was that it gave you a clean, consistent API for making HTTP requests that worked the same way in the browser and in Node.js. But Node.js has had native fetch since version 18 and it's been stable for a while now. The browser has had it for years. So the problem axios originally solved is basically gone.

For my typical axios usage I wrote a simple fetch wrapper called fetchios that mirrors the axios API — same .get(), .post(), .create(), interceptors and all. It works as a drop-in module so I don't have to change the code everywhere, just copy the file in utils, swap the import and remove axios from my dependencies.

Every dependency you add is a potential attack surface — and this incident is a perfect reminder of that. Maybe it's time to stop running npm install axios by inertia and check what the platform already gives you.

I run a small VPS for some personal projects, and I often check the SSH logs to see who’s trying to break in. I have the standard setup: key-based authentication, password login disabled, non-default ssh port and fail2ban configured to block IPs after a few failed attempts. But that doesn’t stop the bots from trying.

This week, I decided to do a little analysis of the SSH logs to see where the attacks are coming from and the resutls are not surprising but still interesting.

Nearly 31,000 failed login attempts from the top 20 IPs alone. Russia takes the lead with 45% of attacks (20,742 attempts), followed by the US at 30% (8,163 attempts). One particularly persistent Russian IP tried over 9,600 times. Points for determination, I guess?

The geographic diversity is almost impressive: Russia, US, China, Brazil, South Korea all represented. It’s like a World Cup of “please let me into your server.”

This is just life when you have an ssh server exposed to the internet. I decided to add some additional security measures this week after seeing the data, but I wanted to share the conclusion of this analysis as a public service to anyone else who might be running a VPS with SSH access.

Stay safe out there.

Top 20 most common IP addresses

Last night when I was reading about the EgyptAir hijacking I was thinking that fortunately these type of incidents are now very rare. I remember when I was a kid that these was one of the cliches in the American movies of the 80's (ie. Delta Force), but with the tough security measures in place in most of the airports, this doesn't happen as often.

Wikipedia has a detailed compilation on the aircraft hijacking incidents and there is defintively a decrease compared to the peak on the 70s.

Wikipedia has a list of the terrorist incidents that happened during the current year. Based on this information those are the countries most affected by number of terror incidents: