This is beta grade - prefer EDAMAME hosted versions of the app (minimum: 1.1.4) - we decided to rush the launch in the wake of the various Trivy > LiteLLM > Axios attacks. THERE WILL BE MORE TO COME - THIS IS A CHAIN REACTION.

We built EDAMAME because we kept watching the same movie on repeat: supply chain attack hits, everyone scrambles to figure out if they were affected, and the answer is always "we don't know — the evidence is gone."

The axios compromise today is a perfect example. The dropper deleted itself after execution. The malicious npm versions are already unpublished. Your lock file may already look clean. But the RAT is still beaconing every 60 seconds from every machine that ran npm install during that three-hour window.

That's the problem we set out to solve: not "what happened?" but "is it happening on my machine right now?"

EDAMAME watches what code actually does at runtime — which files a process holds open, where it connects, how it got there. No signatures, no prior knowledge of the attack, no configuration. Install it, and within 60 seconds you know if something is wrong.

The approach evolved from a simple insight: attackers can change everything about their payload — the language, the package, the obfuscation, the C2 protocol — but they can't change what the payload needs to do. It needs to touch your credentials. It needs to phone home. It needs to run from somewhere it shouldn't. Those are behavioral invariants, and they're what EDAMAME detects.

We've now reproduced and detected three major supply chain attacks in fifteen days (Trivy, LiteLLM, axios) — all with the same engine, zero updates between them. That's the validation we were hoping for. The E2E test suite is open source if you want to try it yourself.

EDAMAME Security

Axios / LiteLLM hacks behavioral detector app for Mac/PC

Axios / LiteLLM hacks behavioral detector app for Mac/PC