Articles
Field notes on the code you didn't write.
Supply-chain incidents, the runtime behaviors that give a malicious dependency away, and why install-time has become the frontline for npm and PyPI.
The 2025–2026 supply-chain attacks share one trait: they fire at install time
The recent npm and PyPI compromises weren't obscure typosquats — they were trusted names, hit through hijacked accounts, with the malice running during installation.
Read →The runtime signals that give a malicious install away
A normal install is boring. A poisoned one does extra things — and those things stay observable even when the code that triggers them is hidden.
Read →Most of your software is code you didn't write — and that's the attack surface
You pick ~10 direct dependencies; your build installs 80+. The majority of what you ship is transitive code you never chose — and it's where the threat now concentrates.
Read →