Today’s TechScan: From NPM Trojans to Web‑CAD and 4D Doom

If you shipped JavaScript yesterday and didn’t touch anything “security-related,” there’s a decent chance security touched you anyway. The most consequential story in the last 24 hours isn’t a new model release or a shiny gadget—it’s the mundane, recurring reality that package registries are production, and attackers know exactly where the soft tissue is: maintainer accounts, install hooks, and the invisible trust we extend to “normal” updates.

StepSecurity disclosed that on March 31, 2026, two malicious npm releases—axios@1.14.1 and axios@0.30.4—were published using a compromised maintainer account. The payload wasn’t exotic; it was depressingly practical. The attacker injected a fake dependency, plain-crypto-js@4.2.1, whose postinstall script acted as a cross-platform RAT dropper. It delivered platform-specific second-stage payloads, then self-destructed and even cleaned its own package.json to make later inspection harder. This is the sort of move that doesn’t try to beat your static analysis with clever obfuscation—it tries to beat your habits: “it’s just a patch bump,” “it’s a common dependency,” “the CI green check means it’s fine.”

What’s particularly instructive is the attacker’s staging. StepSecurity notes a benign-looking plain-crypto-js@4.2.0 was published first, likely to avoid “zero-history” alarms. The maintainer email was changed to a ProtonMail address, and the malicious packages were published via the npm CLI, a path that can bypass CI/CD controls if your publishing pipeline isn’t locked down end-to-end. The remediation advice is blunt for a reason: pin to safe versions (StepSecurity calls out axios@1.14.0 or 0.30.3), assume compromise if you installed the tainted versions, rotate credentials, and inspect network logs for indicators of compromise while the investigation continues. The uncomfortable meta-lesson is that supply-chain security isn’t only about dependency scanning; it’s also about publishing hygiene and registry protections that reduce the blast radius when a maintainer account is lost.

That same question of trust—who can change what, and under whose authority—showed up in a very different form on GitHub this week. The Register reports GitHub has removed a Copilot feature after backlash because Copilot had been inserting promotional “tips” (including an ad for Raycast) into pull requests where it was mentioned, and in some cases modifying PR descriptions and comments without the authors’ consent. Zach Manson highlighted thousands of PRs containing the same Copilot-inserted note, turning what might have been dismissed as a one-off glitch into something that looked systematic. GitHub VP Martin Woodward and Copilot PM Tim Rogers acknowledged the behavior crossed a line; Rogers called it a wrong judgment call that Copilot could modify PRs it didn’t create, and GitHub disabled the tips for such PRs.

It’s tempting to treat this as a “PR ads are tacky” mini-scandal, but the deeper issue is governance. As platforms add more agentic features—tools that don’t just suggest but act—the core question becomes: who is the editor of record? A pull request is more than text; it’s provenance, intent, and accountability. If an assistant can alter that surface area without explicit consent, the platform is quietly rewriting the social contract of collaboration. And it’s happening at the same time Microsoft’s Copilot Terms of Use (effective October 24, 2025) expand definitions and rules around things like Copilot Actions, plus reminders that Copilot can be wrong or cite unreliable sources, and restrictions around usage and automated access. Read together, the retreat on PR insertions feels less like a one-time rollback and more like an early warning that auditability, opt-outs, and permission boundaries are now product requirements, not “nice to have” checkboxes.

When official platforms wobble, open source tends to respond in two ways: new tooling and sharper edges. One example of the “new tooling” impulse is MiniStack, an MIT-licensed local AWS emulator positioning itself as a free replacement for LocalStack after LocalStack moved core services behind a paid plan. MiniStack’s pitch is deliberately practical: about 30 AWS services exposed on a single port (4566), with real Postgres and Redis, and Docker-backed components for services like ECS/RDS/ElastiCache. It emphasizes “no signup, no API keys, no telemetry,” plus a small resource footprint (about 30MB RAM idle, ~150MB image) and fast startup—exactly the features teams care about when trying to keep CI and developer machines predictable.

The theme here isn’t anti-commercial; it’s reproducibility without permission slips. Local emulation matters because it reduces reliance on live cloud environments for basic development loops, and it makes privacy and cost control easier by default. Pair that with the other open-source tool story circulating this week: Tiger Data engineer TJ’s pg_textsearch v1.0, a Postgres extension implementing BM25 ranked keyword search under the Postgres license. The project aims to offer a scalable, free alternative to stacks guarded by the AGPL, and it publishes methodology and scripts alongside benchmarks. Taken together, MiniStack and pg_textsearch represent a broader pattern: developers are gravitating to permissively licensed, local-first infrastructure that can slot into existing workflows without surprise billing, telemetry, or licensing tripwires.

That local-first instinct is also showing up in maker and design workflows—except now the “local” environment is increasingly the browser. SolveSpace has released an experimental WebAssembly/emscripten build of its open-source parametric 2D/3D CAD app that runs in-browser. It’s explicitly a proof-of-concept: it performs well on smaller models but still carries performance penalties and bugs compared to desktop builds. Still, two details matter a lot. First, after initial load it can run offline, and second, it can be self-hosted as static web content if you build it locally. That’s a meaningful shift from “install this giant CAD suite” to “here’s a URL, try it now,” without forcing cloud accounts into the mix.

What makes this moment especially interesting is how browser-native CAD intersects with AI-assisted fabrication. A hobbyist project on GitHub describes using OpenAI Codex to turn a child’s sketch into a 3D-printable pegboard by providing a photo and just two dimensions—40mm hole spacing and 8mm peg diameter—then iterating through prints. The point isn’t that CAD is “solved” by an agent; it’s that the pipeline from idea to object is compressing. When CAD can run in the browser offline, and a code-generating model can jump-start geometry from a sketch, the remaining bottleneck becomes less about software access and more about judgment: constraints, fit, tolerances, and iteration.

If the maker world is getting more accessible, the graphics world is getting weirder—in a good way. A developer released HYPERHELL, billed as the first 4-dimensional DOOM-like, playable in the browser on WebGPU-capable systems (confirmed on Apple M1/M2 and Nvidia + Chrome). The demo models a “4D Eye”—a camera with a 3D sensor—and turns that into gameplay via an “Unblink” mechanic that alters perception. It even folds dimensional transformation into narrative choice (the “Bargainer”), which is the kind of sentence that would have sounded like nonsense back when “in-browser 3D” was still a fragile novelty.

The significance isn’t that everyone will be gaming in 4D next month; it’s that WebGPU is turning the browser into a serious experimental rendering lab. Once the browser can host these kinds of real-time visuals, the boundary between “game,” “visualization,” and “interactive math toy” gets thinner. And that boundary erosion matters beyond entertainment—because tooling and training often follow the platforms that make experimentation cheap. Today it’s a 4D shooter; tomorrow it could be multidimensional data visualization techniques that feel less like charts and more like environments.

Of course, experimentation has a cost curve, and right now AI tooling is reminding teams that costs can spike in ways that are hard to predict. The Register reports Anthropic says Claude Code users are hitting usage limits way faster than expected, disrupting workflows and generating complaints. Anthropic is investigating; potential causes mentioned include peak-hour quota reductions, the end of a temporary promotion that doubled off-peak limits, and reported bugs that break prompt caching—with some users claiming downgrading to an older client reduced token drain. Complicating matters are cache lifetimes (five minutes by default, one hour at a higher token cost) and opaque plan limits that make forecasting difficult.

Then there’s the kind of operational surprise that’s less about quotas and more about unintended automation. One developer recounts accidentally creating a fork bomb with Claude Code by adding a SessionStart hook that spawned two background instances, which then duplicated exponentially. The machine became hot and unresponsive, killing processes couldn’t keep up, and a hard restart was required; the fix was removing the hook from ~/.claude/settings.json. Notably, the author says system lockups occurred before API billing ran wild, limiting cost to about $600—a grimly reassuring ceiling, but not exactly a best practice. Add in a separate report that Claude Code’s source code was allegedly leaked via a source map file in an npm package, and the pattern is clear: agentic developer tools are powerful, but they’re also operationally sharp, with failure modes that include IP exposure, runaway local processes, and confusing cost behavior. “Pin, monitor, sandbox” is becoming the new baseline for AI developer tooling, much like it already is for dependencies.

The connective tissue across all these stories is that the industry is renegotiating trust boundaries under pressure—from attackers, from automation, and from demand. One day it’s a compromised npm maintainer account pushing a postinstall RAT dropper; the next it’s an assistant editing PR text it didn’t author; the next it’s developers rebuilding local cloud stacks to avoid lock-in and telemetry; the next it’s browsers quietly becoming the platform for CAD and 4D rendering; and threaded through it all are AI tools that can accelerate work while also creating new ways for things to go sideways.

The forward-looking question for the rest of 2026 is not whether we’ll adopt more automation—we will—but whether we’ll insist on explicit permissions, reproducible environments, and observable systems as the default. If this week proves anything, it’s that convenience will always expand to fill the space until it meets a hard boundary: a compromised maintainer, a mistrusted platform edit, a surprise quota wall, or a machine brought to its knees by a “helpful” hook. The teams that thrive will be the ones that treat those boundaries not as annoyances, but as design constraints—and build their workflows accordingly.