The case for dependency cooldowns in a post-axios world

The report analyzes a wave of software supply-chain attacks that delivered malicious code via popular package ecosystems (npm, PyPI, GitHub Actions), highlighting high-impact incidents such as compromised Axios releases and campaigns by actors like TeamPCP; it explains how semantic versioning and rapid automatic updates expand attackers' blast radius and recommends mitigations including dependency cooldowns, minimum release-age gates, SCA, and pre-install scanning/blocking tools.