logoalt Hacker News

OpenAI's response to the Axios developer tool compromise

74 pointsby shpattoday at 12:45 AM45 commentsview on HN

Comments

fortuitous-frogtoday at 2:47 AM

Interesting that (1) this blog post published on April 10th, 10 days after the Axios compromise, and (2) this was emailed to ChatGPT / Codex users yesterday, April 21st, 11 days after the blog post...

After an incident as widely publicized as Axios, I'd expect dependency auditing, credential rotation, and public incident communication to all be carried out with much more urgency. And if they were going to send this out to all of their users (as they should), I would expect _that_ to happen shortly after publishing the post (why wait 11 days???).

show 1 reply
danscantoday at 3:17 AM

Axios, like Express, is something I'm shocked to see used in any modern codebase. I loved both in the 2010s. In JS/TS-land there are much simpler and better options these days. Depending on Axios suggests the devs don't know how to use fetch. I can't think of another reason it would be a necessary dependency

show 6 replies
docheinestagestoday at 8:44 AM

> Out of an abundance of caution we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps.

What did I just read?

show 2 replies
mlitwiniuktoday at 8:28 AM

I’m a web dev, I never made publicly accessible desktop app, so please forgive my ignorance, but:

> At that time, a GitHub Actions workflow we use in the macOS app-signing process downloaded and executed a malicious version of Axios (version 1.14.1)

So if I understand this correctly their GH Actions is free to upgrade the package just like that? Is this normal practice or it’s just shifting blame?

show 1 reply
eranationtoday at 6:59 AM

As others said, no one should be using axios in 2026, fetch has been available in node v18 (experimental) in 2022 [0], stable since v21 in 2023 [1], although Claude Code sometimes will suggest it, probably worth adding a rule.

Side note. I'm sure many of you know this, but for those who don't, setting min-release-age=7 in .npmrc (needs npm 11.10+), would have made the malicious axios (@1.14.1 and @0.30.4) invisible to npm install (removed within ~3h). Same for ua-parser-js (caught within hours) and node-ipc (caught in days). It wouldn't have prevented event-stream (over 2 months), but you can't win them all.

Some examples (hat tip to [2]):

  ~/.config/uv/uv.toml
  exclude-newer = "7 days"

  ~/.npmrc
  min-release-age=7 # days

  ~/Library/Preferences/pnpm/rc
  minimum-release-age=10080 # minutes

  ~/.bunfig.toml
  [install]
  minimumReleaseAge = 604800 # seconds
p.s. sorry for the plug, but we released a free tool ([3]) to gather all these settings + a cli to auto configure them. You can set these settings without it, but if you are confused (like me) with what is in minutes, what's in seconds, what is in days and where each of them is located, this might save you a few keystrokes / prompts (it also ensures you have the right min version for the package manager, otherwise you'll have the settings but they would be ignored...)

[0] https://nodejs.org/en/blog/announcements/v18-release-announc...

[1] https://nodejs.org/en/blog/release/v21.0.0

[2] https://news.ycombinator.com/item?id=47513932

[3] https://depsguard.com

show 1 reply
tomalbrctoday at 9:20 AM

Whatever. If you are still using OpenAI products, shame on you.

nikhilpareek13today at 7:05 AM

[dead]

immanuwelltoday at 8:14 AM

[dead]

johnwhitmantoday at 6:00 AM

[dead]

mrcwinntoday at 3:36 AM

Above and beyond post. This is good.

sdevonoestoday at 7:37 AM

Using TS/JS in the backend is irresponsible in 2026. We have better languages and ecosystems

show 2 replies