A contributor known as Jia Tan spent two years submitting perfectly ordinary patches to xz-utils—a compression library bundled with OpenSSH and deployed on virtually every major Linux distro—only to slip in a backdoor that would have given remote control over any affected server. A Microsoft engineer, Andres Freund, noticed a slight SSH slowdown in March 2024 and raised the alarm. Since then, the pace and scale of supply-chain attacks exploded. In September 2025 the Shai-Hulud worm hijacked 500 npm packages via phishing-stolen credentials, then came back two months later to infect 25,000 GitHub repos, use GitHub Actions runners as backdoors, and even build a dead-man’s-switch data-wiper. That same fall saw hijacks of 18 popular npm modules—debug, chalk and more—to deliver crypto stealers. Early 2026 brought dYdX wallet-stealer releases, a wave of 1,000 “claw”-named imposter packages targeting Fortune 500 clouds, and in March Axios (70 million weekly downloads) was poisoned by North Korea’s Sapphire Sleet with a cross-platform RAT. TeamPCP followed with a multi-ecosystem worm and Iran-targeted wiper, and in April researchers found 1,700 malicious packages tied to North Korean groups across npm, PyPI, Go and Rust. Most projects pull in hundreds or thousands of transitive dependencies they never inspect. A typical Node.js app may directly reference 40 packages but resolves to 800–1,500 under the hood; Python pulls in 100–400. Few of those modules see any security review, and many are maintained by a single volunteer. When Axios was corrupted, the real victims were projects three or four layers deep—completely invisible to their developers. Language models now make it trivial to spin up convincing typosquats with proper READMEs and test suites. Automation could replicate Jia Tan’s two-year stealth across dozens of projects in weeks. You can’t rely on registries or big budgets alone. Lock your dependencies with npm or pip lock files and review diffs on every update. Run npm audit, pip-audit or cargo audit as part of your CI; these tools take seconds. Use npm ls, pip list or services like Socket, deps.dev and Snyk to map your transitive tree and flag known risks. Watch for sudden ownership changes or surprise releases in critical packages. Every layer of your stack needs monitoring—not just the code you write.