TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Datadog Security Labs

The case for dependency cooldowns in a post-axios world

2026-04-16 · Read original ↗

ATT&CK techniques detected

4 predictions
T1195.001Compromise Software Dependencies and Development Tools
96%
", 000 other npm packages depend on it. before that, we saw s1ngularity and both shai - hulud attacks, compromising over 1, 300 npm packages in total. supply chain compromises have not been limited to javascript. attackers have also targeted ecosystems like github actions and pyth…"
T1195.001Compromise Software Dependencies and Development Tools
89%
"packages. instead, they pull in hundreds or thousands of transitive dependencies, most of which developers never review or even see. when you install a package, you install its entire supply chain. even if you don ’ t use a dependency directly, one of your other dependencies prob…"
T1195.001Compromise Software Dependencies and Development Tools
79%
"the case for dependency cooldowns in a post - axios world application security has reached a crossroads between velocity and security. in the past, teams focused on the risks of outdated dependencies, which tend to accumulate known vulnerabilities, and prioritized upgrading as qu…"
T1195.001Compromise Software Dependencies and Development Tools
45%
"bound ; one week is the commonly recommended guidance. what cooldowns cannot protect against dependency cooldowns are not foolproof. as cooldowns become widespread, patient attackers may delay malware execution to survive the waiting period. code that doesn ’ t execute on install…"

Summary

Understanding npm and the importance of dependency cooldowns.