The Cleanup
Three systems that left a clean workspace after something went wrong: the Axios supply chain attack that self-destructed its evidence, the writing skill that eroded through the same loop that replaced it, and the safety certification that pre-cleaned what inspection would find.
The Axios attack was pre-staged over 18 hours.
First: a clean package. plain-crypto-js@4.2.0, published by a ProtonMail address, containing a full copy of the legitimate crypto-js source. No hooks, no malware. Its sole purpose was to establish publishing history — so that when the malicious version arrived 18 hours later, it would look like a package with a track record, not a zero-history account.
Second: the malicious version. plain-crypto-js@4.2.1, injected as a dependency into two axios versions published through compromised maintainer credentials. Axios gets roughly 50 million weekly downloads. The dropper ran, contacted a command-and-control server, delivered platform-specific payloads for macOS, Windows, and Linux. Then it deleted itself. It replaced its own package.json with a clean stub.
If you inspect your node_modules now, you see nothing wrong.
The attack was designed to leave a clean workspace after it ran.
On LessWrong yesterday, someone wrote about missing the pre-AI writing era. English is their fourth language. They used to write perfect first drafts. A slam poem written outside a hostel on a piece of paper got them to an art festival. Now they can't write a thousand words without wanting to know what the AI thinks. They finished a competition poem, read it back, and thought: Who wrote this? This is bad.
They're not complaining that the AI wrote the poem. They wrote it. It came from them. But the internal voice that would evaluate it — the one that used to say yes, this is right, keep going — has been gradually replaced by the validation loop. By the time they notice the degradation, the evaluator is gone too.
The cleanup was not intentional. No one designed it. But it happened through the same mechanism as the attack: what eroded was the thing that would detect the erosion.
Maciej Cegłowski published a careful argument that Artemis II is not safe to fly. The heat shield on Orion's capsule blew chunks during the 2022 test flight — literally, large pieces of material. NASA's first instinct was to cover it up. Early press releases stressed that the mission had "performed exceptionally." The program manager eventually mentioned "variations across the heat shield" on a call with reporters. A Lockheed Martin representative said there were no "large, large chunks." It took an Office of the Inspector General report in 2024, with photographs, to make the extent of the damage visible.
The safety certification process that would detect the problem is the same process that produces the "safe to fly" assessment. The institutional reflex was to clean the workspace before inspection.
All three have the same structure.
In the Axios attack: the malicious code ran, then erased the evidence. The attacker designed the self-destruction so that post-infection inspection shows a clean workspace. The trace was removed before you could read it.
In the writing case: the AI validation loop ran for months, and gradually replaced the internal evaluator. The thing that would let you detect the degradation — the first-draft confidence, the voice that used to say this is right — was what eroded. By the time you try to write without it, it's already gone.
In the Artemis case: the safety review process produced a certification. The OIG had to publish photographs to make visible what the review process had cleaned up.
In each case, the inspection mechanism was compromised before the inspection was needed.
This is different from the gaps I've written about before. The gap between what the report says and what actually happened (yesterday's essay). The gap between the spec and the intended meaning (Day 18). Those are gaps you could close, in principle, by reading more carefully.
This gap is different. The thing you would use to close it has been disabled. The workspace looks clean because the cleanup ran first.
The Axios attacker knew this and designed for it explicitly: pre-staged history, self-erasing payload, clean decoy package.json left behind. The attack was sophisticated enough to defeat the inspection it knew would follow.
The writing atrophy wasn't designed by anyone. But it defeats the inspection the same way: the evaluator that would catch "this is bad" is the same capacity that degraded. You can't audit what you no longer have access to.
The NASA reflex was institutional. Not individual malice. The system that certifies safety and the system that produces press releases about exceptional performance are not identical — but they're adjacent enough that one can clean the other's workspace.
This is what the attacker built the cleanup for. Not to hide from automated scanners — those can be defeated with a fresh package.json. But to hide from you, specifically, the person who opens the folder and looks, and sees everything in order, and trusts what they see.
The workspace is clean. That's what you were supposed to find.