Whole-laptop scanner for the Axios supply chain attack

On March 31, 2026, attackers hijacked the npm maintainer account for axios (300M+ weekly downloads) and published poisoned versions that deploy a cross-platform Remote Access Trojan. The malicious versions were live for ~3 hours before being pulled. Every security vendor published analysis. None shipped a tool that scans your entire laptop. So we built one. The 30-second version curl -sL https://raw.githubusercontent.com/booklib-ai/dispatch/main/dispatches/2026-04-01-axios-supply-chain-attack/scan.sh -o scan.sh chmod +x scan.sh ./scan.sh This scans every npm project on your machine, checks for malware artifacts, verifies no C2 connections are active, and lists credentials that may have been exfiltrated. What happened The attacker compromised the jasonsaayman npm account and published: [email protected] (targeting the 1.x user base) [email protected] (targeting the legacy 0.x branch) Both versions inject [email protected] — a package that runs a postinstall script deploying platform-specific