Three hours is a short window. But axios sits so deep in the Node dependency tree that any Singapore government agency running CI/CD with loose version pinning could have pulled the compromised package during an automated build without a human touching it. The real exposure is not developers at their desks. It is unattended build systems ingesting poison and baking it into production artifacts.
This is also a clean example of why software supply chain integrity cannot be solved by scanning alone. The malicious dependency was a net-new package, not a known-bad signature. Detection came from the community, not from tooling. For public sector organisations building on open source, lockfile discipline, hash verification, and controlled internal registries are not optional hygiene. They are compensating controls for a trust model that assumes registry integrity the registry cannot guarantee.
Three hours is a short window. But axios sits so deep in the Node dependency tree that any Singapore government agency running CI/CD with loose version pinning could have pulled the compromised package during an automated build without a human touching it. The real exposure is not developers at their desks. It is unattended build systems ingesting poison and baking it into production artifacts.
This is also a clean example of why software supply chain integrity cannot be solved by scanning alone. The malicious dependency was a net-new package, not a known-bad signature. Detection came from the community, not from tooling. For public sector organisations building on open source, lockfile discipline, hash verification, and controlled internal registries are not optional hygiene. They are compensating controls for a trust model that assumes registry integrity the registry cannot guarantee.