/
Published on 02.04.2026
TLDR: Two malicious versions of axios, one of the most downloaded npm packages on the planet, were published on March 30-31, 2026 after an attacker hijacked the primary maintainer's npm account. The packages installed a remote access trojan on developer machines across macOS, Windows, and Linux. If you ran npm install during that window, treat the machine as compromised.
Axios npm Package Compromised With Remote Access Trojan
TLDR: Anthropic shipped a 57-59MB source map file in version 2.1.88 of the Claude Code npm package, exposing over 500,000 lines of TypeScript across nearly 1,900 files. This was reportedly the second time such a leak occurred, with a similar incident in February 2025.
Claude Code Source Leaked via npm Source Maps: Lessons for Every DevOps Team
TLDR: Spell UI is a collection of React UI components built for design engineers, designed to drop into projects using Tailwind CSS with no installation overhead beyond copying the component code.
TLDR: AI Elements is a shadcn/ui-based component library and custom registry built specifically for AI-native applications, covering chat interfaces, IDE-style code editors, and workflow visualization canvases.