The three-hour window matters less than the blast radius. Axios sits in the dependency tree of nearly everything in the Node ecosystem, which means any Singapore government agency running CI/CD pipelines with loose version pinning could have pulled the compromised package during an automated build without a human ever reviewing it. That is the real exposure: not developers installing packages at their desks, but unattended build systems ingesting poison and baking it into production artifacts.
This is also a clean example of why software supply chain integrity cannot be solved by scanning alone. The malicious dependency was a net-new package, not a known-bad signature. Detection came from the community, not from tooling. For public sector organisations building on open source, this reinforces that lockfile discipline, hash verification, and controlled internal registries are not optional hygiene. They are compensating controls for a trust model that assumes registry integrity the registry cannot guarantee.
The three-hour window matters less than the blast radius. Axios sits in the dependency tree of nearly everything in the Node ecosystem, which means any Singapore government agency running CI/CD pipelines with loose version pinning could have pulled the compromised package during an automated build without a human ever reviewing it. That is the real exposure: not developers installing packages at their desks, but unattended build systems ingesting poison and baking it into production artifacts.
This is also a clean example of why software supply chain integrity cannot be solved by scanning alone. The malicious dependency was a net-new package, not a known-bad signature. Detection came from the community, not from tooling. For public sector organisations building on open source, this reinforces that lockfile discipline, hash verification, and controlled internal registries are not optional hygiene. They are compensating controls for a trust model that assumes registry integrity the registry cannot guarantee.