Four major npm supply chain attacks in six weeks (TanStack, Axios, node-ipc, Bitwarden CLI) expose zero tooling for post-compromise credential scope assessment
Between March and May 2026, four major npm supply chain attacks hit packages with millions of weekly downloads: Axios 1.14.1 (March 30, account takeover via expired domain), node-ipc 9.1.6 (May 14, 3.35M monthly downloads), 42 TanStack packages via GitHub Actions OIDC poisoning (May 11, 12M weekly downloads on react-router alone), and Bitwarden CLI (April 22). Every incident postmortem tells developers to rotate all credentials, but gives no tooling to answer: which credentials were actually accessible at the time of the compromised install on this specific machine? Developers are doing manual forensics -- checking env vars, SSH agent state, CI/CD runner context, git credential helpers -- across potentially dozens of affected machines. The gap: a CLI forensics triage tool that reconstructs the credential exposure surface at the time of a known-compromised install (given a lockfile commit and a timestamp) and generates a prioritized rotation checklist.
Score Breakdown
Social Proof 2 sources
Gap Assessment
Pre-install behavioral flagging tools (Socket.dev, Snyk) exist and cover the prevention side. No tool addresses the forensic triage question: what was exposed on my specific machine at the time of this specific compromised install. The wave of back-to-back high-profile attacks in spring 2026 has made this the top developer security conversation. The gap is clean and not covered by existing ideas in the pipeline.