The past 60 days have been brutal for supply chain security: • 639 malicious versions across 323 packages in ONE hour AntV wave • A worm with valid SLSA Build Level 3 provenance TanStack • North Korean APTs injecting malware into "AI-assisted coding...

OpenTelemetry Collector configs are easy to grow and hard to reason about. A config can be valid and still have production risks: exporters: otlphttp: endpoint: http://backend.example.com headers: X-API-KEY: "hardcoded-secret" o...

On March 31, 2026, the software development and Web3 communities were hit by one of the most severe supply chain attacks in recent history. Axios, an incredibly popular JavaScript HTTP client with an estimated 100 million to over 300 million weekly d...

The Anatomy of the LiteLLM Supply Chain Attack: A Catastrophic Compromise in the AI Ecosystem via "Vibe Coding" The Keys to the AI Kingdom On March 24, 2026, the artificial intelligence developer ecosystem experienced an unprecedented software sup...