Je ne lance plus Claude Code sans ça (et toi non plus tu ne devrais pas)
AI Summary
Three days ago, North Korea hacked npm, specifically targeting Axios, one of the most widely used JavaScript packages globally, with over 100 million downloads per week. There's an 80% chance it's in your project, even if you never installed it directly. For three hours, anyone performing an `npm install` automatically received a Trojan horse. Those using AI coding tools like Cloud, Cursor, or Codex are at even greater risk.
To understand the severity, it's crucial to grasp a basic concept: when developing applications, you don't code everything from scratch. Instead, you utilize existing code snippets, or "bricks," shared freely online. npm is a repository for these code snippets, much like an app store for code. You need a feature, you do an `npm install`, and it's integrated into your project. However, these "bricks" often depend on other "bricks," which in turn depend on more. A JavaScript project can involve dozens, even hundreds, of such components from unknown developers you implicitly trust with your code and machine.
Axios is one such highly utilized "brick," essential for making internet requests in JavaScript, like calling APIs or sending forms. If you've worked with JavaScript, even with AI tools, Axios is likely in one of your projects, even if you didn't install it yourself.
On March 31st, a North Korean hacking group stole the access token of Axios's main maintainer, the individual responsible for publishing updates. This token allowed them to publish anything they wanted without a password. They executed a sophisticated attack:
1. Eighteen hours before the main attack, they published a package named "Plain Crypto JS" version 4.20.0, which was clean, to establish a legitimate history for the package.
2. Hours later, they published version 4.20.1 of "Plain Crypto JS," this time embedding a "post-install" script—a script that automatically executes during an `npm install`—to launch malware.
3. At 12:21 AM, they published Axios 1.14.1 (following 1.14.0) and 39 minutes later, Axios 0.30.4. These versions didn't alter Axios's code but added "PL Crypto JS" as a dependency in `package.json` with a single line.
With this, the trap was set. An `npm install` would download the new Axios version, triggering the malware. This script would instantly detect the operating system (Windows, Mac, or Linux), contact a command server in North Korea, and download a Remote Access Trojan (RAT). After execution, the script would self-delete, erasing its tracks. In three hours, before npm removed the compromised versions, potentially hundreds of thousands were infected, most unknowingly. Google and Microsoft confirmed this was a state-sponsored North Korean group aiming to steal cryptocurrency and industrial secrets.
If you use AI tools like Claude or Codex for coding, you're particularly vulnerable. AI-generated projects often include numerous dependencies, and developers, trusting the AI, typically don't review each one. Many "Vibe Coders" (those who focus on high-level coding without delving into technical details) are unaware of "post-install" scripts, which hackers exploit. Crucially, many code on their main machines, where passwords, crypto assets, photos, documents, and email sessions are stored. This creates a scenario where an `npm install` could lead to the theft of all your sensitive data.
A simple protection method, not requiring cybersecurity expertise, is to never code on your primary machine. Imagine three layers:
1. **Primary Machine:** Your Windows or Mac, containing all your digital life. Never code or perform `npm install` here.
2. **Virtual Machine (VM):** A completely isolated computer running within your primary machine. What happens in the VM stays in the VM; malware there cannot physically access your main OS.
3. **Snapshots:** Before each coding session, take a "photo" of your VM's state. If anything goes wrong, you can revert to a clean state.
This system can be built with free tools like Oracle Virtual Box Manager (to create the VM) and Ubuntu (a Linux distribution with a graphical interface). When setting up your VM, disable shared folders, shared clipboards, and drag-and-drop functionality to prevent malware from bridging to your primary machine.
The workflow would involve opening your Virtual Box, launching the VM, and taking a snapshot before coding. If an attack occurs (e.g., an unexpected folder appears), you simply shut down the VM, revert to the previous snapshot, and restart. This process takes minutes, far less than recovering from a full system compromise.
Vibe coding is powerful and represents the future of development, but it doesn't mean coding blindly. Developers, who often trust their tools perhaps too much, are prime targets for hackers.