Executive Brief · April 20, 2026 · Security Posture

25 repos. 67 critical vulnerabilities. This is why we stop everything.

A non-technical brief for product leadership. The npm package ecosystem — the supply chain that builds every service we run — has been breached repeatedly at industrial scale in the last 12 months. We are exposed. This document explains why dependency hardening must jump the queue over feature work, in plain language.

Ehud Shahak, CTO | 2 minute read | Linear: Dependency Security Hardening

What is "a dependency", in plain English?

“Every piece of software we ship is built from roughly two thousand small Lego pieces written by strangers on the internet. Most are great. But the locks on the Lego factory are breaking once a week now — and when they break, someone walks into every house that was built with those pieces. Our job is to replace the locks before that happens.”

Our current exposure

Automated security scans across our 25 production repositories returned the following. These are not theoretical — they are known, published vulnerabilities in the code that runs our marketplace right now.

Critical

Remote code execution class

383

High severity

Data exposure, auth bypass

Repos affected

Across our entire stack

~102h

Fix effort

~2–3 dev-weeks, 4 engineers

21 of 25 repos are fast (<8h each). Only 4 need coordinated refactoring.

This happened to others in the last 8 months

These are not hypothetical scenarios. These are real compromises of packages we depend on — or packages in the same ecosystem — weaponized and deployed to production systems worldwide in the last 12 months.

Mar 30–31, 2026

axios

~100M+ weekly downloads across affected versions

North Korean state hackers (attributed by Google Threat Intelligence and Microsoft) hijacked the maintainer's account. For three hours, every machine that ran npm install received a remote-access tool. We use axios.

LostFull remote-access capability installed on every developer laptop, CI runner, and production server that updated during the 3-hour window. Exposure = any credentials, source code, or deployment keys on those machines.

Sep 14–23, 2025

Shai-Hulud worm

500+ packages infected

The first self-replicating npm worm. Stole AWS, Google Cloud, Azure, GitHub and npm credentials, then auto-spread itself to the victim's other packages. Triggered a CISA national alert.

Lost~20,000 files dumped to public GitHub repos named s1ngularity-repository-* — containing AWS/GCP/Azure keys, GitHub & npm tokens, and private source code from hundreds of organizations. Some victims had private repos forcibly flipped to public.

Sep 8, 2025

chalk · debug · 16 others

2.6 BILLION weekly downloads combined

A maintainer was phished. The payload rewrote cryptocurrency transaction destinations in browsers to drain wallets. These packages sit inside virtually every Node.js app on Earth — including ours.

LostUnder $1,000 in crypto — caught within ~2 hours by Aikido. The warning: this lives inside our dependency tree transitively right now. A slower detection window would have drained orders of magnitude more.

Aug 26, 2025

Nx (s1ngularity)

3.5 million weekly downloads

First attack to weaponize AI coding tools (Claude, Gemini) to hunt for secrets on developer laptops. 2,349 credentials from 1,079 developer systems leaked to public GitHub.

Lost2,349 live credentials — GitHub personal-access tokens, npm publish tokens, AWS access keys, SSH private keys — posted publicly. Every one is now a beachhead into a downstream company.

May 5, 2025

rand-user-agent

45,000 weekly downloads

One stolen npm token (no two-factor auth) became a remote shell on every server that installed the update. Part of the axios-adjacent ecosystem — a dress rehearsal for the March 2026 axios attack.

LostFull remote shell and file-exfiltration capability on every server running the poisoned versions. No public incident disclosures — meaning victims either didn't know or didn't say.

Jun 2024

polyfill.io

100,000+ websites compromised

A Chinese buyer of the domain injected malware to redirect visitors to scam sites. Affected high-profile sites included Hulu, Mercedes-Benz, and JSTOR. Demonstrated that an entire ecosystem can rot overnight.

LostMonths of mobile traffic on 100,000+ sites silently redirected to scam and gambling destinations. Ad revenue diverted, user trust damaged, brand contamination, and SEO penalties from Google flagging affected pages as malicious.

Why this isn't "normal" security debt

These are not theoretical CVEs buried in a scanner report. They were weaponized and deployed to production systems in the last 8 months. Real companies paid real costs.
Our exact stack — Nuxt 3, NestJS, axios, debug, chalk — was in the blast radius of two of the incidents above. Only luck determines whether we were downstream of the specific versions that shipped malware.
The npm ecosystem crossed a line in 2025: 454,600 new malicious packages published (Sonatype), 99.8% of all open-source malware now lives on npm, and the first self-replicating worms appeared. The threat model has shifted.
CVE to exploit-in-the-wild is measured in days, not weeks. Every week we wait, another publication window opens where our running code has a known, public, exploitable vulnerability.

The questions you're about to ask

Q.Is everything really critical? Can we just fix the worst ones and ship the rest later?

Fair question, and the honest answer is: partial fixes don't save much time, and they leave the exact doors open that attackers walk through.

Three reasons we can't cherry-pick:

1. The overhead is the scan-and-ship cycle, not the fixes themselves. For each of the 25 repos we have to audit dependencies, run tests, deploy, and verify. Fixing only the 67 Critical items still requires all 25 of those cycles. The actual patching is the small part of the ~102h estimate. Fixing "half" saves maybe 15-20%, not 50%.

2. Today's "High" is next month's "Critical". Eight months ago the axios version we run today was a "Moderate" dependency nobody worried about. The same is true for the chalk and debug libraries that became wallet drainers overnight. We cannot predict which unpatched library becomes the next headline. The only defensible posture is: current everywhere.

3. Transitive contamination. npm installs a tree, not a list. A "moderate" vulnerability in a package that is a dependency-of-a-dependency-of-axios becomes an attack path the moment the parent is updated. Picking only the top-severity items creates a patchwork that actually increases risk because the dependency tree is now in a state no one has tested.

What we CAN do to compress the timeline: parallelize aggressively (4 engineers, 25 repos), ship each repo as it's ready rather than big-bang, and sequence by blast radius — production-facing services first, then admin tools, then internal utilities. That's the plan.

Q.Have we actually been breached? Is there a specific incident we're responding to?

No confirmed compromise. This is preventive. That is precisely why we can still choose to do it cheaply and on our own schedule. Every company that appears in the incident list above was also "not breached" — right up until the day they were.

Q.Can we do this in the background without freezing features?

Partially, yes — but it extends the window from ~2 weeks to ~6-8 weeks, keeps the team context-switching the whole time, and means we are exposed for that full period. The math favors a focused sprint: less total cost, less elapsed exposure, cleaner return to feature work.

Cost of delay vs. cost of breach

If we pause feature work

Cost of delay

2–3 dev-weeks reallocated across 4 engineers
One roadmap cycle slips by ~10 business days
Marketing campaigns re-timed; no revenue impact
Team returns to feature work with a hardened platform
Fully reversible. Work resumes as planned.

If we ship the breach

Cost of compromise

User bot inventory drained — irreversible loss of assets under management
Trading halted; payment and exchange integrations revoked
GDPR disclosure required within 72 hours; regulator scrutiny
3–6 months to rebuild user trust — or longer
Existential. Several of the 2025 incidents ended companies.

The ask

Decision, not discussion

Freeze non-critical feature work for approximately two weeks across four engineers to close out the Dependency Security Hardening project.

21 of 25 repositories can be patched in under 8 hours each and parallelized immediately. 4 repositories require coordinated refactoring and will be prioritized first. Critical production fixes and customer-blocking incidents continue uninterrupted. Everything else waits.

Every day we delay, we are betting the company on attackers choosing to skip us. That is not a security posture. That is luck.

Sources · all claims are citable

axios attack attribution:
Google Threat Intelligence Group

axios mitigation guidance:
Microsoft Security Blog

Shai-Hulud worm advisory:
CISA (US Cybersecurity Agency)

chalk / debug compromise:
Aikido Security

Nx s1ngularity postmortem:
Wiz Research

polyfill.io investigation:
Sansec

Ecosystem malware stats:
Sonatype 2025 Open-Source Malware Index (Q3 2025)

Internal project tracker:
Linear · Dependency Security Hardening · 25 repos

Prepared by Ehud Shahak, CTO · tradeit.gg · 2026-04-20
Distribute to product leadership. Comments welcome.