Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Well, the hack didn't survive more than 2-3 hours if I'm not mistaken. I don't think that counts as "nobody acted on it."


Actually, from the OP, the timeline is:

> March 31, 00:21 UTC: axios@1.14.1 published with plain-crypto-js@4.2.1 injected

> March 31, around 01:00 UTC: axios@0.30.4 published with the same payload

> March 31, around 01:00 UTC: first external detections

> March 31, around 01:00 UTC: community members file issues reporting the compromise. The attacker deletes them using the compromised account.

So it was found out almost immediately.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: