npm audit isn't enough: I simulated a supply chain attack on my Node dependencies and found what the scanner can't see

npm audit tells you you're safe. I stress-tested that claim with real methodology against my production dependencies and found three attack vectors the scanner doesn't even register. The Node ecosystem has a structural problem that green badges keep hidden.