The npm Attack, Iran's Double Game, and California's Procurement Gambit

The One Thing: The Axios npm package attack — touching 100M+ weekly downloads — is this decade's most important reminder that the global software supply chain is defended by a handful of underpaid maintainers and a three-hour detection window.

If You Only Read One Thing: StepSecurity's technical breakdown of the Axios npm compromise — a free, non-paywalled account of how a single account hijack cascaded through 400 million monthly downloads and deployed a self-deleting RAT before anyone noticed.

TL;DR: A supply chain attack on the Axios JavaScript library exposed every CI/CD pipeline running auto-updates to a cross-platform remote access trojan for nearly three hours. Iran simultaneously struck a Kuwaiti tanker in Dubai's harbor and agreed to ceasefire talks — classic coercive diplomacy — while the Pentagon denied that Defense Secretary Hegseth's broker tried to front-run the war with defense ETF purchases. Meanwhile, Newsom signed California's first AI procurement order, using state purchasing power as a regulatory weapon the White House can't easily override.

The npm Attack That Woke Up Every Security Team

There's a thought experiment security engineers like to run: what's the single dependency you'd compromise if you wanted to simultaneously backdoor the most software with the least effort? On Monday night, someone appears to have run the experiment for real.

At 00:21 UTC on March 31, attackers published axios@1.14.1 to npm — a compromised version of one of the most downloaded JavaScript libraries on earth. A second malicious version, axios@0.30.4, followed 39 minutes later. According to Socket Research, the attacker had already pre-staged a malicious dependency called plain-crypto-js@4.2.1 the night before, establishing a clean history to avoid detection. Both versions were pulled by npm at approximately 03:15 UTC — about three hours after first publication. The malicious dependency itself survived another hour.

Why it matters: This attack is a textbook illustration of what security researchers call value chain vulnerabilities — the gap between where software originates and where trust is actually evaluated. Axios is the HTTP client library for the JavaScript world. It ships inside Express apps, React frontends, Next.js backends, AWS Lambda functions, and about half of everything you'd find on GitHub. Its 100-300 million weekly downloads aren't from developers manually installing it — they're from CI/CD pipelines auto-resolving caret (^) version ranges. Any pipeline using ^1.14.0 or ^0.30.0 would have automatically pulled the compromised version on the next npm install after midnight.

The malware itself was sophisticated. StepSecurity detected the attack via anomalous outbound connections to sfrclak.com:8000 — a C2 server — during CI/CD runs. The payload used double obfuscation (reversed Base64 combined with XOR cipher), deployed platform-specific RAT binaries to macOS, Windows, and Linux, then deleted itself, replacing the malicious package.json with a clean version. A post-infection forensics scan of a compromised machine would show nothing. Any organization that ran npm install between 00:21 and 03:15 UTC and hasn't since rotated all credentials should assume full system compromise.

The structural context is damning. 2025 saw 454,648 malicious packages published to npm in a single year — over 99% of all open-source malware was on npm. The September 2025 attack hit packages with 2.6 billion weekly downloads each. This is not a frequency anomaly; it's an accelerating campaign against the most critical infrastructure nobody funds. The axios maintainer was still using long-lived npm tokens — a known vulnerability — rather than npm's newer trusted publishing mechanisms. That single configuration decision, maintained by a single volunteer, was the attack surface.

Room for disagreement: The pessimist case is that npm has structurally no fix here — the security model of "anyone can publish anything under a trusted account" is foundational. But npm does have technical solutions: mandatory hardware 2FA for maintainers of packages with >1M weekly downloads, granular publish permissions, and automated behavioral analysis at publish time. The question is whether an incident affecting 100M+ downloads is finally the forcing function.

What to watch: Whether GitHub/npm mandates 2FA for high-impact maintainers within 90 days. If they don't, they're betting this was a one-off. The data suggests it was not.

Iran's Negotiation Theater: Two Signals, One Deadline

Yesterday's briefing noted the Islamabad summit as a potential path toward a ceasefire that required Hormuz reopening as a precondition. Today both assumptions cracked simultaneously.

Signal one (softening): The Wall Street Journal reported that Trump has privately told aides he's willing to end the Iran war without requiring the Strait of Hormuz to reopen. The calculation, per sources, is that reopening the Strait would require military operations extending well beyond his preferred 4-6 week timeline. He's set an April 6 deadline: reach a deal, or he threatens to "completely obliterate" Iranian power plants, oil wells, and Kharg Island. The White House framing via Time positions this as pragmatic flexibility. Iran's Foreign Ministry, predictably, says no negotiations are taking place.

Signal two (escalation): Iran struck a Kuwait-flagged crude tanker, the Al-Salmi, at Dubai's anchorage on March 31, setting it ablaze. The vessel carries approximately 2 million barrels of crude worth over $200 million; oil prices jumped almost 4% before pulling back to near $103/barrel on WTI. Reuters confirmed the strike. Trump responded by threatening to obliterate Iran's energy infrastructure. Iran's five-item condition list now includes recognition of Iranian sovereignty over the Strait of Hormuz — a demand that didn't exist three weeks ago.

Why it matters: This is coercive diplomacy in its textbook form — both sides are simultaneously escalating and negotiating. Iran's tanker strike serves two audiences: it signals to domestic hardliners that Iran isn't capitulating, and it strengthens Iran's bargaining position by demonstrating it can still inflict costs. Trump softening the Hormuz condition while threatening Kharg Island serves the same dual function — giving peace negotiators a concession while keeping military pressure credible.

The third development today is the one Bloomberg will probably underplay: the Financial Times reported that Pete Hegseth's broker at Morgan Stanley contacted BlackRock in February — before the Iran war launched — about purchasing the iShares Defense Industrials Active ETF (holding RTX, Lockheed, Northrop Grumman). CNBC confirmed the story. The Pentagon flatly denied it ("entirely false and fabricated"). The investment didn't go through — the ETF wasn't yet available to Morgan Stanley clients — but the timing of the inquiry, from the broker of the official who was most vocally championing war with Iran, is the kind of story that generates congressional interest regardless of whether criminal conduct occurred.

The irony: the Defense Industrials Active ETF has lost 12.4% since the war started. War economics are complicated — defense stocks price in completion risk, not just conflict initiation.

Room for disagreement: The optimist reading of today's dual signals is that they indicate an imminent deal: Iran is escalating because it's about to accept terms and needs domestic cover, and Trump is softening because someone calculated that Hormuz is not winnable in the short term. But April 6 is five days away, and Iran's formal five-condition list includes requirements that the US has shown no flexibility on.

What to watch: Whether the Islamabad coalition (Pakistan, Saudi Arabia, Turkey, Egypt) can broker a framework before April 6. If no deal emerges, the Kharg Island threat becomes the central variable. Kharg handles approximately 90% of Iran's oil export infrastructure. Striking it would end Iranian export capacity — and likely trigger oil prices above $150.

The Contrarian Take: Newsom's AI Order Is Regulatory Theater

Everyone says: California is standing up to Trump's AI deregulation. By requiring AI companies to demonstrate safety guardrails before winning state contracts, Newsom is using California's market power to create a de facto national AI safety floor.

Here's why that's wrong (or at least incomplete): Newsom's executive order applies only to companies seeking California state contracts. This covers a narrow slice of the AI market — government procurement — while leaving the commercial market that generates 99% of AI revenue entirely unregulated. The governor's own announcement is careful to avoid any language about broader market regulation. Meanwhile, Newsom vetoed SB 1047 — California's more comprehensive AI safety bill — in 2024, and his administration has consistently blocked stronger AI legislation that would have applied to the commercial market. The tech industry, which controls an outsized share of California's economy and political donations, wanted narrow procurement-scope regulation rather than comprehensive market regulation. That is what they got. The order positions Newsom politically for national ambitions while protecting Silicon Valley from the tougher constraints the legislature wanted to impose. As CalMatters reported in February, labor advocates have been arguing for months that Newsom is running interference for AI companies while performing progressive politics.

What Bloomberg Missed

The Hegseth story is actually about a broken norm. The specific investment never happened — the ETF wasn't available. But the pattern of suspiciously timed financial activity by officials with war-planning visibility (the earlier $580M bet on falling oil before Trump's March peace announcement; now Hegseth's broker inquiry) suggests a structural leak problem in US government decision-making, not just one bad actor.
The GitHub Copilot "bug" was a trial balloon. Microsoft injected promotional content for Raycast into over 1.5 million GitHub pull requests before developers caught it and revolted. The company called it a "bug" — tips appearing in "the wrong place." The more accurate reading: this was a test of whether developers would tolerate monetization of their code review workflow. They wouldn't. The playbook is identical to Twitter's early ad experiments: probe, deny intent, retreat, try again more carefully later.
npm's maintainer security model is a global single point of failure. The axios maintainer was still using long-lived npm tokens — a configuration that npm has been warning against for years. But changing it requires maintainer action, and npm can't force it. This isn't a security failure by one developer; it's a governance failure by an ecosystem that has never solved the problem of critical infrastructure maintained by volunteers with no security budget.

Quick Takes

GitHub kills Copilot pull request "tips" after 1.5M PRs affected. Microsoft's Copilot injected promotional content for Raycast into over 1.5 million pull requests before a developer caught it. GitHub's official spin — "tips appearing in the wrong place" — is technically accurate and strategically misleading. Microsoft reversed the feature but called it a bug, not a policy change. (The Register)

Rec Room is shutting down June 1. The VR social platform, once valued at $3.5B with 150 million users, could not find unit economics that worked. The company's post-mortem is unusually honest: AI costs from Maker AI launched in March 2025 ran above net revenue per Plus subscriber, and the freemium model never generated sufficient returns despite massive engagement. Snap is buying some assets. The broader lesson for metaverse-adjacent platforms: user count is not a business model. (Rec Room Blog)

OpenAI ships a Codex plugin for Claude Code. OpenAI released an open-source plugin that lets developers invoke Codex from within Anthropic's Claude Code CLI. Technically, it's a convenience integration. Strategically, it's OpenAI embedding itself in a competitor's developer platform — preventing full lock-in to Anthropic's ecosystem in a tool that accounts for roughly 4% of all public GitHub commits. Claude Code at ~$2.5B annualized revenue is now the dominant coding agent; OpenAI is treating it like a distribution channel rather than purely a threat. (GitHub)

Whoop raises $575M at $10.1B valuation. The health wearables company — targeting an IPO — hit $1B in ARR by end of 2025, with 60% of 2026 sales outside the US. The valuation is a signal: consumer health tracking, not VR social gaming, is where discretionary hardware spend is concentrating in 2026. (Bloomberg)

Stories We're Watching

The Iran War & Hormuz Crisis: US vs. Iran's negotiating logic (Day 32) — Iran struck a tanker while signaling ceasefire talks; Trump softened the Hormuz condition while threatening Kharg Island. April 6 is the stated deadline. Whether the Islamabad coalition can produce a framework by then determines whether the crisis enters a new, more dangerous phase.
OpenAI IPO: The Great Portfolio Audit (Week 2 of the Fidji Simo era) — The Codex plugin for Claude Code is either a sign of confidence (OpenAI doesn't fear Anthropic's distribution) or a sign of desperation (they need distribution they don't own). The super-app consolidation timeline will be the tell.
AI Midterm Battle: $250M+ vs. 71% of Americans (Week 1) — Innovation Council Action, Leading the Future, and Meta PAC are mobilizing unprecedented single-industry midterm spending. The counter-organizing from labor and consumer groups hasn't begun in earnest. Watch for Democratic super PAC responses.

The Thread

Two of today's lead stories — the Axios npm attack and the Hormuz tanker strike — look unrelated. They aren't.

Both are attacks on chokepoints: the npm dependency graph, through which most of the world's JavaScript software is distributed; and the Persian Gulf shipping lanes, through which most of the world's oil flows. In both cases, the defender's position is structurally weak not because of insufficient resources but because of misaligned incentives. npm's security posture depends on volunteer maintainers updating their authentication practices. The Gulf shipping lanes depend on a US military deterrent that Iran has learned to probe and test without triggering full escalation.

The deeper pattern: critical global infrastructure — whether software dependencies or energy transport — is increasingly maintained by institutions whose incentives don't align with the scale of harm that failure creates. Open-source maintainers get no financial reward for rotating their npm tokens. Iran gets positive negotiating value from every tanker it strikes. The defensive investment is always lagging the offensive opportunity.

California's AI procurement order is, in this context, a third instance of the same dynamic. State governments are trying to impose costs on AI companies whose primary incentives are to minimize compliance burden. The order only works if California's procurement leverage exceeds the cost of compliance — which is more plausible for smaller AI vendors than for the hyperscalers who have enough federal contracts to absorb the loss of California business.

The common thread across today's stories is the gap between the scale of the risk and the adequacy of the institutions managing it.

Predictions

New predictions:

I predict: npm will mandate hardware 2FA for all package maintainers with >1M weekly downloads within 90 days of the Axios attack. The PR pressure is now too high for GitHub/Microsoft to continue the voluntary approach. (Confidence: medium; Check by: 2026-06-30)
I predict: At least one congressional committee will formally request Pete Hegseth's financial disclosures related to the pre-war defense ETF inquiry within 30 days. The story has too much traction — and the Pentagon's denial is too categorical — for it to not generate formal oversight action. (Confidence: high; Check by: 2026-04-30)

Generated: 2026-03-31 | Daily News Briefing