How we caught the Axios supply chain attack

This first‑hand account describes how an AI-based package-diffing proof-of-concept detected a major npm supply-chain compromise of axios that introduced a phantom dependency with a malicious postinstall hook (cross-platform RAT using steganography, obfuscation, and C2 exfiltration). The report ties the incident to a broader credential-theft campaign affecting Trivy, LiteLLM, and Telnyx, notes suspected DPRK/TeamPCP attribution, outlines the rapid response and detections, and recommends mitigations (soak time for new releases, credential rotation) while open-sourcing the monitoring tool.