Critical Axios Vulnerability (CVE-2026-40175) Enables Cloud Infrastructure Compromise A newly disclosed critical vulnerability in the widely used Axios HTTP client library (CVE-2026-40175, CVSS 9.9) exposes web applications and cloud environments to Remote Code Execution (RCE) and full infrastructure takeover. The flaw, discovered by security researcher Raulvdv and later detailed by Jasonsaayman, allows attackers to bypass AWS IMDSv2 protections, exfiltrate sensitive metadata, and steal credentials. The vulnerability stems from unrestricted header processing and missing input sanitization in Axios’s `lib/adapters/http.js` file. When combined with Server-Side Request Forgery (SSRF) and HTTP Request Smuggling, it forms a high-risk "Gadget Attack Chain" that requires no user interaction. Exploitation occurs via JavaScript prototype pollution, where tainted properties from dependencies (e.g., `body-parser`, `qs`, `minimist`) are merged into Axios’s request configuration. The lack of CRLF (carriage return/line feed) sanitization enables attackers to inject malicious headers, hijacking outbound requests. A public Proof of Concept (PoC) demonstrates how attackers can abuse this flaw to craft a PUT request to AWS EC2 Metadata Service (169.254.169.254), bypassing IMDSv2 token requirements. Successful exploitation grants access to IAM session tokens, privilege escalation, and full cloud environment control. Additional risks include authentication bypass, cache poisoning, and RCE in containerized/serverless systems. All Axios versions before 1.13.2 are vulnerable. The patched version (1.15.0+) enforces strict header validation, blocking prototype pollution-based attacks. Organizations are urged to upgrade immediately and audit dependencies for prototype pollution vectors.

North Korean Threat Actor Compromises Axios npm Packages in Supply Chain Attack On March 31, 2026, Microsoft uncovered a supply chain compromise involving two malicious versions of the widely used JavaScript HTTP client, Axios (1.14.1 and 0.30.4). The attack, attributed to North Korean state-backed threat actor Sapphire Sleet, introduced a hidden dependency [email protected] that executed silently during npm installation via lifecycle hooks. The malicious dependency did not alter Axios’s core functionality but instead contacted attacker-controlled command-and-control (C2) infrastructure (hxxp://sfrclak[.]com:8000/6202033, hosted on IP 142.11.206[.]73) to deploy a second-stage remote access trojan (RAT). The attack targeted developer workstations, CI/CD pipelines, and production systems, leveraging Axios’s broad adoption to maximize impact. ### Attack Mechanics To evade detection, the threat actor first released a benign version ([email protected]) before publishing the malicious 4.2.1, which included an install-time script (setup.js) and a decoy manifest. The compromised Axios versions bypassed standard CI-backed publishing processes, adding the rogue dependency without triggering alarms. During installation, the post-install hook executed setup.js, which: - Fingerprinted the platform (Windows, macOS, or Linux) via encoded POST requests. - Downloaded tailored payloads from the C2, including: - macOS: A native binary (com.apple.act.mond) dropped in /Library/Caches, executed via zsh. - Windows: A PowerShell RAT (6202033.ps1) persisted via a hidden Run registry key, masquerading as wt.exe. - Linux: A Python-based RAT (ld.py) executed with nohup to suppress output. - Self-cleaned by deleting its loader and replacing it with a sanitized manifest to minimize forensic traces. ### Attribution & Impact Microsoft’s Threat Intelligence linked the infrastructure and tactics to Sapphire Sleet, a North Korean group known for financially motivated operations targeting cryptocurrency and fintech sectors. The attack exploited npm’s auto-update mechanisms, allowing malware to spread undetected across environments where Axios was a dependency. ### Mitigation & Response Microsoft Defender detected the activity and deployed protections to block the malicious components. Recommended actions included: - Rotating exposed secrets and downgrading to safe Axios versions (1.14.0 or 0.30.3). - Removing malicious artifacts and reinstalling clean packages. - Hardening npm usage by disabling auto-upgrades, pinning exact versions, and restricting dependency bots. - Monitoring for outbound connections to sfrclak[.]com or 142.11.206[.]73:8000. - Adopting Trusted Publishing with OIDC to reduce account takeover risks. The incident highlights the risks of supply chain attacks, where a single compromised dependency can serve as a cross-platform malware delivery vector.

Critical DoS Vulnerability in Axios HTTP Library Exposes Node.js Servers to Crashes A high-severity security flaw (CVE-2026-25639) has been identified in Axios, a widely used HTTP client library for Node.js, enabling attackers to trigger denial-of-service (DoS) attacks by crashing servers. The vulnerability affects all versions up to and including 1.13.4 and stems from improper handling of configuration objects in the `mergeConfig` function. The flaw allows attackers to exploit Axios by sending a maliciously crafted JSON payload such as `{"__proto__": {"x": 1}}` to any endpoint that processes user input into Axios configurations. When the library attempts to merge this payload, it incorrectly treats JavaScript’s `Object.prototype` as a callable function, causing an immediate server crash. Unlike typical prototype pollution attacks, this vulnerability does not corrupt application behavior incrementally but instead disrupts availability instantly. The issue resides in lines 98–101 of `lib/core/mergeConfig.js`, where the code fails to validate property names before processing. Any Node.js application that accepts user-controlled JSON and passes it to Axios methods (e.g., `get()`, `post()`) is at risk. Given Axios’s widespread adoption in backend services for API calls, the impact is far-reaching, with attacks requiring no authentication and minimal technical expertise. The Common Vulnerability Scoring System (CVSS) rates this flaw as High severity (7.5/10), citing its network-based attack vector, low complexity, and lack of required privileges or user interaction. While the vulnerability does not compromise data confidentiality or integrity, it fully disrupts service availability. Security researcher hackerman70000 discovered and reported the issue. The Axios team has released version 1.13.5, which patches the flaw by adding proper checks for unusual property names in configuration objects. Developers are advised to upgrade immediately and audit their codebases for instances where user input flows into Axios configurations.

Anthropic Accidentally Leaks Claude Code Source, Exposing Internal AI Systems Anthropic has inadvertently leaked the source code for Claude Code, its widely adopted AI-powered coding assistant, exposing roughly 500,000 lines of code across 1,900 files. The incident, confirmed by the company as a "release packaging issue" caused by human error, occurred when internal code was mistakenly uploaded to NPM a platform for software distribution instead of the final, compiled version. The leak follows a separate accidental disclosure earlier this month, in which a draft blog post revealed details about Mythos (also referred to as Capybara), an upcoming AI model described as more powerful and potentially more dangerous than Anthropic’s current flagship, Opus. While the latest breach did not expose model weights or customer data, cybersecurity experts warn it could allow competitors to reverse-engineer Claude Code’s underlying "agentic harness" the software layer that governs the AI’s behavior, tool integration, and safety guardrails. This could enable the creation of open-source alternatives or help rivals refine their own AI systems. Security researcher Roy Paz of LayerX Security noted that the leaked code also provided further evidence of Capybara, Anthropic’s next-generation model, which is expected to surpass Opus in capability and cost. The draft blog post previously described it as a new tier, with "fast" and "slow" variants likely replacing Opus as the company’s most advanced offering. Paz highlighted concerns that the exposed code may reveal vulnerabilities in how Claude Code interacts with Anthropic’s internal systems, potentially allowing malicious actors including nation-states to exploit the AI for cyberattacks or bypass existing safeguards. Anthropic’s Opus model is already classified as a high-risk tool due to its ability to autonomously identify zero-day vulnerabilities, a capability that could be weaponized by threat actors. This is not the first time the company has faced such an exposure; in February 2025, an early version of Claude Code was similarly leaked, revealing internal workings and system connections before being removed. The company has stated it is implementing measures to prevent future incidents but has not disclosed further details. The leak underscores the challenges of securing proprietary AI systems as adoption and scrutiny of advanced models continues to grow.