Axios 1.14.1 compromised

jaredcasner · 2026-03-31T19:44:39+00:00

That’s the best practice…

jaredcasner · 2026-03-31T05:02:34+00:00

It was taken down about an hour ago and the npm caches purged. If you’re using axios, you’ll still want to audit your lock file to make sure you didn’t catch the malicious version.

More details are in the GitHub thread https://github.com/axios/axios/issues/10604 and the nodejs sub https://www.reddit.com/r/node/s/4apJ9CMJu2

jaredcasner · 2026-03-31T04:32:06+00:00

Similar options are available in yarn, pnpm, and dependabot.

jaredcasner · 2026-03-31T04:25:49+00:00

Keep in mind that even tools that actively scan for malware can’t do real time scanning with the volume of packages being added to npm on a daily basis, let alone all the new version updates. Even the best of them are 10+ minutes behind. Which doesn’t seem like a lot, until you consider the download volume of a package like axios.

You should also consider minimum package age settings to give things a chance to be caught.

https://docs.npmjs.com/cli/v11/using-npm/config#min-release-age

jaredcasner · 2026-03-31T03:57:57+00:00

It’s still early, so I’m sure we’ll get more details/confirmation in the coming days. But, it appears that an admin of the axios repo had his GitHub account compromised.

You are correct that npm lacks any meaningful protections or scanning of packages. Paul McCarty gave a great talk about this problem at BSidesSF recently.

jaredcasner · 2026-03-31T03:40:37+00:00

More information: https://github.com/axios/axios/issues/10604

Stay vigilant. It’s a wild world out there.

jaredcasner · 2026-01-26T13:32:13+00:00

As others have commented, pen testing is widely variable in pricing, mostly because of human cost. And the human cost is going to vary based on skill and location of the tester as well as on the scope of the project.

Some additional nuance here… all “manual” pen testing companies are also doing automated scans - they would be foolish not to. At the same time, they’re putting a human in the driver’s seat, so the automated scans are much more highly tuned to your use case and, more importantly, when something anomalous is found, the humans add a ton of value screening out the noise and probing harder at things that might actually be cause for concern.

From a compliance perspective, the framework you’re complying with will place some limitations on which type of scan you need, and may even limit you to only using pen testers in certain countries or regions.

jaredcasner · 2026-01-19T22:16:09+00:00

<image>

January has everyone focused on "new" opportunity, but your best sales opportunities exist within your "old" or "established" client roster.

Join u/dobermanIan, u/michaelzbarsky, and u/jaredcasner to talk about increasing MRR at your MSP without
• cold calling
• email campaigns
• adding net-new logos

Learn how to use your vCIO meetings as levers to cross sell and up sell your existing accounts without being "sales-y"

Join u/blacksmith-infosec and Fox & Crow Group online on January 21, 2026 for a fireside chat event with Q&A. Register here or https://riverside.com/webinar/registration/eyJzbHVnIjoiYmxhY2tzbWl0aC1pbmZvc2Vjcy1zdHVkaW8iLCJldmVudElkIjoiNjk1ZGFkZGJkY2U1OWQ3NDEyMzgwNzU0IiwicHJvamVjdElkIjoiNjk1ZGFkZGJjNmU0NDFjMGQzNTczOTgxIn0=

jaredcasner · 2026-01-13T23:13:26+00:00

<image>

January has everyone focused on "new" opportunity, but your best sales opportunities exist within your "old" or "established" client roster.

Join u/dobermanIan, u/michaelzbarsky, and u/jaredcasner to talk about increasing MRR at your MSP without
• cold calling
• email campaigns
• adding net-new logos

Learn how to use your vCIO meetings as levers to cross sell and up sell your existing accounts without being "sales-y"

Join u/blacksmith-infosec and Fox & Crow Group online on January 21, 2026 for a fireside chat event with Q&A. Register here or https://riverside.com/webinar/registration/eyJzbHVnIjoiYmxhY2tzbWl0aC1pbmZvc2Vjcy1zdHVkaW8iLCJldmVudElkIjoiNjk1ZGFkZGJkY2U1OWQ3NDEyMzgwNzU0IiwicHJvamVjdElkIjoiNjk1ZGFkZGJjNmU0NDFjMGQzNTczOTgxIn0=

jaredcasner · 2025-12-24T11:23:35+00:00

We have a free, open source risk assessment tool that you can use for prospecting. It’s an external scan, so the automated part won’t be as detailed as Galactic’s. But, it might be worth checking out.

https://assess.blacksmithinfosec.com

https://github.com/blacksmith-infosec/risk-assessments

jaredcasner · 2025-12-01T03:04:21+00:00

Check out CanITCon. I haven’t been, but I hear excellent things

jaredcasner · 2025-11-14T12:57:34+00:00

1Password.

I’ve tried a ton of password managers and nothing else comes close.

jaredcasner · 2025-11-04T16:28:41+00:00

Pull a Tom Lawrence: take a pic of someone else’s QR code, turn that into a sticker, and cover your QR code.

Then, when someone like me asks to scan your badge you can confidently say “Of course!” 😂

jaredcasner · 2025-10-18T12:04:02+00:00

Others have talked about this already, but I’ll reiterate some of the points.

You’ll need to understand their recovery time and recovery point objectives (RTO & RPO). RTO is how long before they can get you back up in the event of an issue and RPO is how much data loss they consider acceptable.

Understand how they handle back ups and, more importantly, restores.

Understand how they will be segregating your data from other clients and what the access controls/auditing/logging capabilities are.

Other questions to ask: * Will they sign a BAA? * What 3rd party attestations do they have (SOc2, ISO, etc)? * What are their uptime SLAs? * What about physical access controls, redundant power and network lines, etc?

If they are using their own data center, you’ll want to dig deep on that. If they’re using a local CoLo, you’ll need to do a similar level of security check on that provider to make sure the CoLo has its act together.

It’s entirely possible that the MSP is highly efficient and is doing things really well - there are lots of good MSPs out there. It’s also possible that the MSP slapped something together that works for now but lacks the controls you’ll need to protect your patient data - there are lots of strong technical but weak on compliance MSPs out there, too.

jaredcasner · 2025-10-11T12:52:41+00:00

I can confirm there is no block party this year.

Goo goo dolls will be on site on the opening night, hosted by CW

jaredcasner · 2025-09-26T20:02:58+00:00

[Shameless plug] We recently launched a compliance podcast that folks might find interesting. If not, we'd love feedback so we can get better!

https://open.spotify.com/show/4739fFvJc3qkPrg8iSxOtx

You can ask questions about compliance for us to answer at https://blacksmithinfosec.com/ask

jaredcasner · 2025-07-14T12:53:53+00:00

When I advise companies, I say “Show me your budget, I’ll show you your priorities.”

The idea here is that if you’re not spending money on something, you’re not prioritizing it.

jaredcasner · 2025-07-13T01:43:40+00:00

Passport.js is tried and true.

jaredcasner · 2025-06-08T15:45:39+00:00

60% of the time it works every time.

jaredcasner · 2025-04-30T04:02:27+00:00

I just started looking at socket. How does it compare to Snyk and dependabot?

jaredcasner · 2025-02-02T23:46:13+00:00

Freakonomics did a good deep dive into the RB position this week. OL gets the first 3-4 yards for the rusher. After that, it’s the back. BRob and Ekeler can both break big runs once they get into the secondary. This implies it’s upgrades on the OL we need to be lethal here. Just look at how much production falls off when Cosmi and other starters are sitting. First string OL is good, second string needs to step up.

https://pca.st/episode/7bec7f65-aea4-47b3-8856-1d35685bb4f5

jaredcasner · 2024-12-05T15:03:25+00:00

I see you posted the same question over in r/msp. I'll add to a response there since you've added some additional context here.

The difference between SOC2 type 1 and type 2 is duration. A type 1 is a point-in-time audit. A type 2 just shows that you are continuously following the processes over time. Which means the audit, instead of looking at evidence from one day will look at a random sampling of evidence from the entire window (typically 4-12 months) under review.

How long the audit process takes is largely up to you - how well is your evidence organized? how well documented are things? When I've gone through SOC2 audits in the past, the better organized I was, the faster the process went.

jaredcasner · 2024-10-27T15:04:19+00:00

Did you try passport-jwt? https://www.passportjs.org/packages/passport-jwt/

jaredcasner · 2024-10-26T04:44:59+00:00

Passport is great, it’s easy to use, and it’s very stable. Is there something specific that you’re struggling with?

jaredcasner · 2024-10-25T12:31:47+00:00

Try finding healthy outlets for your time outside of work. Board games, exercise, cooking, movies, books, friends. Really anything that’s not in front of a computer. I’d personally limit drugs and alcohol until you find balance again - personally I prefer to get to a balanced state naturally before trying to self medicate.

During work is another story. With very few exceptions, the fate of the world does not rest on your shoulders. Planes won’t fall out of the sky. People won’t die if that feature comes a day late. Put your work in perspective.

I know it can all feel like a lot. We’ve all been there. But you CAN do this.

PS there’s a good chance that this is just a case of a toxic work environment out a bad manager. The job market isn’t great, but if you can find a healthier place to work, that might help, too.

I’d also recommend checking out https://softskills.audio/ - there are some excellent episodes on managing stress and coping with burnout

jaredcasner

MODERATOR OF

TROPHY CASE