A Bigger Issue ...
So while various governments and institutions are off worrying about what people say on social media and try to figure out how to get Open Source programmers to work for them for free, some of the REAL problems facing Open Source seem to be going unchallenged.
It's been coming down the track for a while now ...
Yup, supply chain attacks. This isn’t missiles aimed at boats in the middle east, this is bad actors (hackers) trying to compromise one of the hundreds of thousands (millions) of Open Source packages out there that are incorporated into our every day life. Case in point, over the last few days we saw a very severe exploit that looks like it might originate in North Korea, summary courtesy of Gemini;
Imagine a baker (the developer) makes a cake (the app). They buy flour (Axios) from a trusted supplier. If someone poisons the flour at the factory, every cake made with that batch becomes dangerous, even if the baker followed the recipe perfectly. Once someone eats the cake, not only are they going to be ill, but they will in turn potentially poison others without even realising.
Security Alert: The Axios "Supply Chain" Attack
What Happened?
On March 31, 2026, a popular software building block called Axios—used by millions of websites and apps to communicate with servers—was briefly compromised. Hackers gained access to a lead developer’s account and injected malicious code into two specific versions of the library (1.14.1 and 0.30.4).
How Does This Affect “Average” Users?
Most users don’t interact with Axios directly, but the apps they use do. If a developer unknowingly updated their app during the three-hour window of the attack, that app could have been turned into a “spy” on the user’s device.
The Malware: The malicious code was designed to steal sensitive information, such as passwords, digital keys, and “environment variables” (secret codes that apps use to talk to services like Amazon or Google).
The Risk: While the “hole” was plugged within hours, any data handled by an infected app during that window should be considered stolen.
What Should You Do?
Update Your Apps: If you receive notification of an app update today, install it immediately. Developers are currently “rolling back” to safe versions of their software.
Rotate Critical Secrets: If you are a power user or developer who uses “API Keys” or “Environment Variables” for work, change them immediately.
Monitor Accounts: Keep a close eye on your accounts for any unusual activity over the next few days, particularly if you use developer-focused tools or crypto-wallets.
The Bottom Line:
This wasn’t a “hack” of a single website, but a “supply chain” attack—poisoning the ingredients before the meal is even cooked. While the immediate threat is over, the ripple effects of stolen data may last for weeks.
How could this happen?
Don’t think for a second that this is either new or unexpected. It’s been known about and expected (and has been happening) for quite some time, but it would appear that efforts made to mitigate this sort of attack are proving insufficient.
Depending on the project, developers will pull in code written by other people either from source code repositories like GitHub and GitLab, or from package managers like PyPi or NPM. These are all trusted sources, because, well, you have to trust somebody, right?
The problem (at least in this case) is that if someone who maintains a chunk of trusted code has their credentials compromised in some way, a bad actor then has unfettered access to trusted code. If there are no other controls in place (as apparently in this instance), then the exploit can end up anywhere doing almost anything, from replacing your website with a pink bunny to stealing your online banking credentials on your mobile phone. (or as it looks in this case, going after your digital wallet and all the crypto-currency it can find)
How do we stop this happening?
Well, there’s no easy fix, it’s going to take work. In order to do the work, resources are going to be needed and thus far those with the resources seem to be directing them at the wrong targets.
“We have outsourced our entire digital infrastructure to a handful of unpaid, exhausted and now persecuted volunteers, then acted surprised when the ‘pipeline’ we refused to fund was hijacked by a nation-state.”
If we’re worried about source repository and package repository security, which affects everybody, then maybe some (more) funding is on order. And whereas bugs in code can be a problem, exploits it would seem are a far far bigger problem, And again, if we want well-maintained bug free code, maybe it’s time to start paying the people who write it, rather than threatening them and trying to make them do even more for even less?
