The recent supply-chain attack against axios, a widely used open-source HTTP client, highlights a strategic weakness in the global technology stack: critical digital infrastructure is increasingly maintained by under‑resourced individuals, and its failure has systemic economic and national security consequences — even for tech giants like Apple.

At the center of your code

Axios is a programming library that helps JavaScript code communicate with websites and is heavily used by Mac, Linux, and Windows developers to do that task within their applications. There’s a good explanation of what that means here. The well-executed attack used stolen credentials to distribute malware capable of exfiltrating data from impacted machines.

The nature of this attack was sophisticated to say the least. Not only did the attacker first steal the credentials belonging to the project’s lead developer, but they also locked them out, changed the email address, and even initially uploaded legitimate software to the code repository first to fool security monitoring systems into seeing them as trustworthy. The malware-infested code followed that. 

While the attack was quickly spotted and developers were eventually able to mitigate the compromise, it isn’t known how many people may have been affected. 

The attack illustrates the extent to which Big Tech relies on open-source software. Without the many contributions of open-source developers, Apple, Amazon, Google, Microsoft, and everyone else would need to invest vast sums in building more of the infrastructure of our digital world.

This leaves a big weakness in tech that sophisticated attackers quite certainly recognize: under-resourced open-source software, developers, and repositories are potentially vulnerable. After all, when you leave relatively small numbers of not terribly well-resourced volunteers to look after critical infrastructure, it gives attackers a very short list of potential targets.

Hack a key developer to hack the ‘net. 

We must incentivize security

It’s easy to have opinions. Of course Big Tech should better fund open-source developers so they can protect themselves and finance their work, but current incentive structures don’t seem to encourage this.

So, what happens next?

These sometimes obscure open-source tools are critical to everything on a digitized planet and should be given ample access to the finance and security infrastructure with which we protect everything else. That’s going to require investment at a government level. To be fair, we do have some evidence that investment is taking place. The EU’s Cyber Resilience Act, Germany’s Sovereign Tech Fund, and the US-funded Open Source Security Initiative (OS3I) all demonstrate understanding that the security of open-source code is both a national and international strategic necessity. 

Despite these investments, the amount going toward securing the open-source stack is dwarfed by the estimated $8.8 trillion value open-source software generates for the global economy. This creates a situation in which more than a third of the 500 OSS maintainers surveyed by the Sovereign Tech Agency in 2024 said they are not paid for the work they do maintaining the standards we all rely on. (One-third more said they make some money, but not enough to make a living.)

One final point illustrates the vulnerability of the sector: almost three-quarters of the survey respondents said their open-source projects are maintained by three people or fewer. That makes it possible the attackers deliberately targeted small open-source developers to penetrate the code repositories in a highly sophisticated, planned, and executed hit.

It’s impossible to definitively reject the idea that such a well-executed attack was sponsored by some government-sponsored agency, particularly as the world appears to be at war. 

Time to Lockdown

But the story also demonstrates that Apple’s own security remains as weak as its weakest part, which in this case was a reliance on open-source tech. Now that this vulnerability has been proven, don’t be too surprised if criminals intensify attempts to penetrate these components in future. Apple, along with every operating system manufacturer, will probably lose sleep.

And developers should probably join the growing number of high-value targets using Lockdown Mode.

You can follow me on social media! Join me on Bluesky,  LinkedIn, and Mastodon.