Je ne lance plus Claude Code sans ça (et toi non plus tu ne devrais pas)
Three days ago, North Korea hacked npm, specifically targeting Axios, one of the most widely used JavaScript packages globally, with over 100 million downloads per week. There's an 80% chance it's in your project, even if you never installed it directly. For three hours, anyone performing an `npm install` automatically received a Trojan horse. Those using AI coding tools like Cloud, Cursor, or Codex are at even greater risk.
To understand the severity, it's crucial to grasp a basic concept: when developing applications, you don't code everything from scratch. Instead, you utilize existing code snippets, or "bricks," shared freely online. npm is a repository for these code snippets, much like an app store for code. You need a feature, you do an `npm install`, and it's integrated into your project. However, these "bricks" often depend on other "bricks," which in turn depend on more. A JavaScript project can involve dozens, even hundreds, of such components from unknown developers you implicitly trust with your code and machine.
