This is a follow-up to my earlier post: Axios Was Compromised. Here's What It Means for Your Repo.
The Setup
GloriaPPT is a presentation tool I built and maintain. It's a fairly typical modern JavaScript app: a Next.js frontend, a Node.js backend, and deployment on Vercel. What makes it interesting for this case study is its dependency tree: 954 npm packages in the lockfile.
Most of those packages are transitive. I haven't read the source code for most of them, and realistically, neither do most small teams. If one of them were compromised tomorrow, I probably wouldn't know right away.
That's the problem I built DevRadar Guard to solve.
Before DevRadar Guard
-
Dependency monitoring: Manual
npm auditwhen I remembered to run it - Supply chain alerts: None — I found out about incidents from social feeds and security threads
-
.npmrchardening: Default settings -
CLAUDE.mdsecurity section: Didn't exist - Pre-install hooks: None
- CI/CD security checks: Basic Dependabot, no custom policy
- Response time to incidents: Hours to days, depending on when I saw the news
After DevRadar Guard
I deployed DevRadar Guard's hosted monitoring on a small VPS that checks every 30 minutes. Here's what changed.
Signal Collection
The Signal Engine collects threat intelligence from GitHub Security Advisories every 30 minutes. In the first 24 hours, it ingested 467 raw events — advisories affecting npm packages — and normalized all of them into structured threat candidates with confidence scores.
Each signal is scored across five dimensions, including source quality, technical specificity, cross-reference validation, discussion velocity, and ecosystem relevance.
Exposure Matching
Out of 467 normalized signals, the Exposure Engine matched 1 against GloriaPPT's actual dependency tree: axios.
- Package: axios
- Installed version: 1.14.1
- Confidence score: 65/100
- Exposure score: 50/100
- Final risk: 57/100 (alert threshold: 50)
The confidence score reflects signal quality: a high-trust source, a named package and version, and enough technical detail to treat the advisory seriously.
The exposure score reflects how directly the issue touched this repo: axios was a direct dependency, and the affected version was present in the lockfile.
The Alert
At 00:24 KST (UTC+9) on April 6, a Slack alert landed in #devradar-alerts:
🛡️ DevRadar Guard Alert
Package: axios
Version: 1.14.1
Risk Score: 57/100
Confidence: 65
Exposure: 50
Path: direct
Signal: Compromised axios versions 1.14.1 and 0.30.4 were
reported to deliver a remote access trojan...
I didn't find out about the axios compromise from social media. The alert was waiting for me when I checked Slack.
Guardrail Bundle
DevRadar Guard generates a guardrail bundle — a set of files you can drop into a repo to harden installs, guide AI coding agents, and surface risky dependency changes during review:
| File | Purpose |
|---|---|
CLAUDE.md security section |
Security policy for AI coding agents |
.npmrc hardening |
ignore-scripts=true, audit=true, registry pinning |
| Pre-install hook | Warns before installing packages younger than 7 days |
| GitHub Actions workflow | PR check that flags risky dependency changes (alert-only) |
devradar-policy.json |
Machine-readable policy for CI/CD integration |
GloriaPPT now uses all 8 generated guardrail files. The pre-install hook would likely have flagged the malicious plain-crypto-js dependency used in the attack, since it had been published less than 24 hours earlier.
The Numbers
| Metric | Value |
|---|---|
| Dependencies monitored | 954 |
| Raw threat signals collected (first 24h) | 467 |
| Normalization success rate (first 24h sample) | 100% |
| Signals matched to GloriaPPT | 1 (axios) |
| False positives in this case study | 0 |
| Time from advisory to alert | < 30 minutes (cron cycle) |
| Guardrail files generated | 8 |
| Manual intervention during detection | 0 |
What This Doesn't Prove
I want to be honest about what this case study shows and what it doesn't.
It shows: A real supply chain threat was detected, matched to a real project, and surfaced as an actionable alert — automatically, without manual intervention.
It doesn't show: DevRadar Guard catching a zero-day before anyone else. The axios advisory was already published when my pipeline picked it up. I'm not claiming to be faster than GitHub Advisory. I'm claiming to be faster than manual monitoring — finding out from social feeds, security threads, or a post after the fact.
It doesn't show: Protection against all supply chain attacks. The Signal Engine currently monitors GitHub Advisories only. Reddit, npm registry anomaly detection, and other sources are planned but not yet active in Alpha.
It doesn't show: Automatic blocking. DevRadar Guard Alpha is alert-only. No PR failures, no install blocks, no surprises. You get the information; you decide what to do.
Try It
DevRadar Guard is still in Alpha, and I'm testing it with a small number of pilot teams. Right now that includes hosted monitoring on a 30-minute cycle, matched alerts in Slack or Discord, a generated guardrail bundle for the repo, and a weekly threat briefing. All I ask in return is a few minutes of feedback each week.
If your project has a package-lock.json and you want earlier, repo-specific visibility into supply chain incidents, the starter kit and waitlist are below:
DevRadar Guard Alpha — alert-only, no automatic blocking. You stay in control.
Top comments (0)