npm audit isn't enough: I simulated a supply chain attack on my Node dependencies and found what the scanner can't see The right answer for protecting a Node project's dependencies is don't trust npm audit . I know that sounds wrong — it's the official tool, it's in every doc, the green CI badge tells you you're good. But after running the same vector that destroyed the PyTorch Lightning situation against my own stack, I have to be straight with you: the green badge is the most dangerous part of the entire chain. Let me tell you what I found. Supply chain attacks on Node production dependencies: the problem audit doesn't model When the post about PyTorch Lightning malware dropped I couldn't let it go. I covered it from the ML angle ( you can read that here ), but the question that kept nagging at me was different: what happens if I run the same vector against my Node dependencies? Not against a toy project.…