Wire Fire Episode 01. Six weeks of supply-chain compromise on the npm registry, ending on 12 May 2026 with the Shai-Hulud worm source going public. 31 March: state-sponsored operators (Microsoft Sapphire Sleet, Mandiant UNC1069) backdoor axios versions 1.14.1 and 0.30.4 for three hours, tagged latest; roughly 100 million weekly downloads. 29 April: Mini Shai-Hulud hits four SAP-related npm packages. 11 May 19:20 to 19:26 UTC: 84 versions across 42 TanStack packages, then @uipath, @mistralai/mistralai, OpenSearch, Guardrails AI; 172 packages and 403 versions inside 48 hours, ~518M cumulative downloads. 2025 alone: 454,648 malicious npm packages, more than 99 per cent of all open-source malware now targets npm. The architectural answer has been quietly available for decades.