Question
Your CI starts making **unexpected outbound connections** to an unknown host during `npm ci`, flagged by egress monitoring on the build runners. Nothing failed; builds are green. Investigation: a transitive dependency published a new **patch** version overnight containing a malicious post-install script that reads env vars (CI secrets) and exfiltrates them. Your lockfile allowed the patch bump because a recent dependency update loosened a pin, and the package's maintainer account was compromised. Some builds in the last 6 hours used the bad version and had access to deploy credentials. How do you triage what leaked, contain, and remediate the supply-chain exposure?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.