In this special bonus episode, Adrian and Alexandre are joined by John Hammond, one of cybersecurity’s most recognizable YouTube creators and Senior Principal Security Researcher at Huntress - a cybersecurity company dedicated to protecting businesses of all sizes against modern-day cybercrime - for a deep dive into software supply chain attacks using the recent Axios NPM compromise as a case study. It's a timely conversation: supply chain incidents have gone from occasional headlines to a near-constant drumbeat, and the Axios case offers an unusually clear window into how these attacks actually work end-to-end.

- The discussion tackles the viral "stop updating your software" take head-on, with John arguing the real answer is nuance - keep patching Windows and Chrome, but treat CI/CD dependencies very differently. Adrian lays out his case for splitting vulnerability management into two distinct processes: traditional scan-driven work for compliance, and a separate intelligence-driven "VulnOps" function that operates more like incident response.

- The group also walks through the remarkable social engineering campaign that compromised the Axios maintainer — a patient, weeks-long con involving a fake Slack workspace, rescheduled Teams meetings, and a click-fix payload disguised as an audio troubleshooting step. One striking data point from John: the malicious package detonated 89 seconds after hitting NPM.

- The back half turns practical, with a concrete checklist for third-party risk teams and internal dev orgs: pin dependency versions, cache artifacts locally (which saved Tenchi during the Trivy incident, when attackers modified previously released binaries), enforce age-based release gates, separate CI from CD, apply least privilege to pipeline credentials, and maintain an asset inventory that can answer "do we have this package?" in seconds. John closes with homework for listeners: look up the Clean Source Principle.