After the Axios npm RAT, which supply chain security tool would have caught it? A vendor-neutral comparison of malware-aware scanners vs CVE-based SCA.