jasonsaayman and voxpelli had useful write ups from the "head on a swivel" perspective of what to watch out for. Jason mentioned "the meeting said something on my system was out of date." they were using Microsoft meeting and that's how they got RCE. Would love more color on that.

An owner being compromised is absolutely survivable on a responsibly run FOSS project with proper commit/review/push signing.

This and every other recent supply chain attack was completely preventable.

So much so I am very comfortable victim blaming at this point.

This is absolutely on the Axios team.

Go setup some smartcards for signing git push/commit and publish those keys widely, and mandate signed merge commits so nothing lands on main without two maintainer sigs, and no more single points of failure.