Over the past 15 months a series of high-profile backdoors, worms and trojans have compromised thousands of npm, PyPI and other open-source packages, exposing millions of downstream projects to remote access, data wiping and credential theft. The article traces incidents from the xz-utils backdoor to self-propagating npm worms, explains how deep dependency trees magnify risk, and outlines immediate steps—pinning versions, auditing dependencies and funding maintainers—to stem the threat.

The article discusses a recent supply chain attack involving the popular Axios package, highlighting how an attacker installed malware without altering the original code. It emphasizes the challenges posed by AI in both coding and attacking, as automated systems can easily introduce vulnerabilities faster than traditional security measures can respond.