Post Mortem: axios npm supply chain compromise
Summary
Two malicious axios versions were published to npm via a compromised maintainer account, injecting a remote access trojan. The post mortem covers timeline, remediation steps, and security improvements such as immutable releases and OIDC adoption. It highlights lessons for maintainers, CI pipelines, and organizations relying on open source packages.