This is son Grade – Prefer the Edamium hosted version of the app (minimum: 1.1.4) – We decided to rush the launch in the wake of the various Trivy > LiteLLM > Axios attacks. There will be more to come – it’s a chain reaction.
We created EDAMAME because we keep seeing the same movie over and over again: supply chain attacks hit, everyone scrambles to find out if they’ve been infected, and the answer is always “we don’t know – the evidence is gone.”
Today’s Axis compromise is a perfect example. Dropper deleted itself after execution. Malicious npm versions are already unpublished. Your lock file may already look clean. But the RAT is still beaconing every 60 seconds from every machine that runs npm install during that three-hour window.
That’s the problem we set out to solve: not “What happened?” But “Is this happening on my machine right now?”
EDAMAME looks at what the code actually does at runtime — what files a process opens, where it connects to, how it got there. No signature, no advance knowledge of the attack, no configuration. Install it, and within 60 seconds you’ll know if something’s wrong.
The approach evolved from a simple insight: attackers can change everything about their payload—the language, the package, the obfuscation, the C2 protocol—but they can’t change what the payload needs to do. It needs to touch your credentials. He needs to call home. He needs to run away from somewhere he shouldn’t be. These are behavioral changes, and they are what EDAMAME detects.
We’ve now replicated and detected three major supply chain attacks (Trivy, LiteLLM, axios) in a fortnight – all with the same engine, with zero updates between them. This is the confirmation we were hoping for. The E2E test suite is open source if you want to try it yourself.