LIVE INTERCEPTS

incident-report · 2026-03-31 · npm-supply-chain

The axios attack
lasted 3 hours.

70 million weekly downloads. Zero tools caught it. Preflight would have blocked it in 30 seconds — before a single line of code executed on a developer's machine.

▶ Run live demoD

How it works ↓

3:00:00

attack window

tools caught it

00:00:30

preflight time

github.com/acme-corp/payments-api · pull/482 · checks

📡 live

distribution · github action only

One line. Every PR. Forever free.

We don't ship as an npm package — that would be a contradiction. Add this YAML to .github/workflows and Preflight scans every dependency change before merge.

yaml.github/workflows/preflight.yml

# .github/workflows/preflight.yml
name: Preflight
on:
  pull_request:
    paths:
      - 'package-lock.json'
      - 'pnpm-lock.yaml'
      - 'yarn.lock'
permissions:
  pull-requests: write
  statuses: write
  contents: read
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Javeria-taj/preflight-ai/preflight-action@v1.0.0
        with:
          lockfile: package-lock.json
          fail_on_block: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

community threat intelligence — last 24h

● REPOSLIVE

Repos protected

● SCANSLIVE

Scans completed

● THREATSLIVE

Threats blocked

runtime · 6 stages · ~3 seconds end-to-end

From PR to verdict, before merge.

Preflight lives in the GitHub PR lifecycle. It triggers automatically the moment a dependency change appears.

◇

01 / 06

PR opens

Webhook fires the moment a developer pushes a dependency change.

+0.0s

⌗

02 / 06

Lockfile diff

We extract the exact set of new and bumped packages from the lockfile — not the manifest.

+0.4s

⊟

03 / 06

Script analysis

Every install hook diffed against its previous version. New postinstall = instant flag.

+1.1s

◈

04 / 06

AI reasoning

Gemini correlates four signals, weighs precedent, writes a plain-English verdict.

+2.4s

✎

05 / 06

Verdict posted

A structured PR comment lands within seconds. Confidence, signals, rationale.

+2.8s

⊘

06 / 06

PR blocked

On BLOCK we set required-status to failing. Merge impossible until override — and we log who.

+3.0s

detection · 4 independent signals

We don't check CVEs.
We watch behaviour.

Every existing tool is reactive — they look up known-bad packages. Preflight reasons about unknown-bad packages: the ones nobody has seen yet.

SIGNAL 01

Script Diff

Diffs every install hook (preinstall, install, postinstall) against the previous version. New scripts in patch releases are nearly always malicious.

+ "postinstall": "node ./_postinstall.js" - (no postinstall in 1.7.9) → NEW HOOK ADDED · severity HIGH

NEW HOOKCHANGED HOOKREMOVED HOOK

SIGNAL 02

AST Scan

Static analysis on every JS file with acorn. Catches process.spawn, child_process, dynamic require, base64-decoded payloads, and outbound network calls.

pattern: child_process.spawn → outbound https severity: critical → matches 4 known IOCs

EVALSPAWNOUTBOUND HTTPSOBFUSCATED

SIGNAL 03

Maintainer

Tracks the npm publisher of every release. Detects key rotations, account-age, recent inactivity, and 2FA status — the supply-chain weak link.

publisher_key: rotated 6h ago last_release: 238d inactive 2fa: disabled → HIJACK PATTERN

KEY CHANGEINACTIVE 90D+NEW MAINTAINER2FA OFF

SIGNAL 04

Gemini AI

Correlates the three deterministic signals plus 50+ contextual features. Returns a verdict, a confidence score, and an attack-pattern label.

pattern: npm_account_hijack class: rat_deployment confidence: 0.94 → BLOCK

GEMINI 2.5 PROATTACK PATTERNCONFIDENCE

three minutes from now

Run the exact attack. See the block.

We pre-loaded the actual axios 1.7.9 → 1.7.10 payload from the March 31 incident. Click run. Watch Preflight catch it.

▶ Open the demo

$preflight --watch

SCANNING

RATE127/min

P50284ms

REGIONus-east-1

MODELgemini-2.5-flash

UPTIME99.97%

The axios attacklasted 3 hours.