Two npm Supply Chain Attacks in One Day — Here's What Your Compliance Framework Says About It
Axios v1.14.1 was hijacked and Claude Code leaked 512K lines of source. These trigger specific compliance controls that require documented evidence of detection and response.
Why This Is a Compliance Event, Not Just a Security Event
Most teams will treat these as security incidents: scan for the bad version, update, move on.
But if your organization is subject to SOC 2, NIST 800-53, CMMC, or FedRAMP, these incidents trigger specific compliance controls that require documented evidence of detection and response.
The Axios Compromise Maps To:
| Framework | Control | Requirement |
|---|---|---|
| NIST 800-53 | SA-12 | Supply Chain Protection — verify integrity of acquired software |
| NIST 800-53 | SI-7 | Software, Firmware, and Information Integrity |
| SOC 2 | CC6.8 | Vulnerability Management — identify and remediate vulnerabilities |
| SOC 2 | CC8.1 | Change Management — evaluate changes before deployment |
| CMMC L2 | SI.L2-3.14.1 | Identify, report, and correct system flaws in a timely manner |
| FedRAMP | SA-12 | Supply Chain Risk Management |
| SSDF | PO.1 | Define security requirements for software and its environment |
The Claude Code Leak Maps To:
| Framework | Control | Requirement |
|---|---|---|
| NIST 800-53 | SA-11 | Developer Security Testing — verify no sensitive data in releases |
| SOC 2 | CC6.1 | Logical Access Controls — prevent unauthorized information disclosure |
| CMMC L2 | SC.L2-3.13.16 | Protect confidentiality of CUI at rest |
| SSDF | PW.7 | Review and verify release artifacts before publishing |
What Your Auditor Will Ask
If you're going through a SOC 2 Type II audit and these packages were in your dependency tree, your auditor will ask:
If your answer is "we ran npm audit a few days later," that's not evidence. That's hope.
What Automated Detection Looks Like
A compliance-aware scanner in your CI/CD pipeline catches this automatically:
npx @cveriskpilot/scan --preset enterprise
The scan detects Axios 1.14.1 in your lockfile, classifies it as CWE-506 (Embedded Malicious Code), and maps it to every affected compliance control. The PR gets blocked. The finding gets a POAM entry. The audit trail writes itself.
Before the developer even sees the PR comment, the compliance evidence is generated:No spreadsheet. No manual mapping. No Friday afternoon spent cross-referencing CVEs to controls.
The Real Lesson
Supply chain attacks aren't new. But they're accelerating:
The question isn't whether you'll encounter a compromised dependency. It's whether your compliance posture can prove you caught it, when you caught it, and what you did about it.
If your scanner finds the CVE but can't tell you which SOC 2 or CMMC control is affected — you still have a compliance gap.
Try It
# Scan your project right now
npx @cveriskpilot/scan --preset startup
npx @cveriskpilot/scan --deps-only --severity CRITICAL
Free. Offline. No account. One command to close the gap between "we found it" and "we can prove we found it."
CVERiskPilot is 100% Veteran Owned, built in Texas. The Pipeline Compliance Scanner is free on npm.
Tags: Supply Chain Security, npm, DevSecOps, Compliance, NIST 800-53, SOC 2, CMMC, Vulnerability Management, CI/CD
Ready to close the compliance gap?
Run your first compliance scan in 90 seconds. No account needed.
npx @cveriskpilot/scan@latest --preset startup