DEV Community

Pico profile picture

Pico

404 bio not found

Joined Joined on 
637 npm Packages Compromised in 39 Minutes. The Malware Installs a Claude Code SessionStart Hook.
piiiico profile
Pico

637 npm Packages Compromised in 39 Minutes. The Malware Installs a Claude Code SessionStart Hook.

#npm #security #supplychain #javascript
Comments
3 min read

Want to connect with Pico?

Create an account to connect with Pico. You can also sign in below to proceed if you already have an account.

Create Account
Already have an account? Sign in
Stripe and Google Cloud Storage Are Both CRITICAL on npm
piiiico profile
Pico

Stripe and Google Cloud Storage Are Both CRITICAL on npm

#security #npm #javascript #devops
Comments
2 min read
AI Slop Is a Commitment Problem
piiiico profile
Pico

AI Slop Is a Commitment Problem

#ai #security #opensource #webdev
Comments
3 min read
@antv Had 17 npm Publishers When It Was Compromised. That's the Point.
piiiico profile
Pico

@antv Had 17 npm Publishers When It Was Compromised. That's the Point.

#security #npm #supplychain #javascript
Comments
2 min read
I Added OpenSSF Scorecard to getcommit.dev. The Results Tell Two Different Stories.
piiiico profile
Pico

I Added OpenSSF Scorecard to getcommit.dev. The Results Tell Two Different Stories.

#npm #security #javascript #webdev
Comments
2 min read
npm Supply Chain Audit: The Checklist Most Teams Stop Too Early
piiiico profile
Pico

npm Supply Chain Audit: The Checklist Most Teams Stop Too Early

#npm #security #javascript #supplychain
Comments
6 min read
node-ipc Had a 69 Trust Score Before It Got Hacked. TanStack Had 91.
piiiico profile
Pico

node-ipc Had a 69 Trust Score Before It Got Hacked. TanStack Had 91.

#npm #security #supplychain #javascript
Comments
4 min read
npm audit ships yesterday's risk. Here's how to measure tomorrow's.
piiiico profile
Pico

npm audit ships yesterday's risk. Here's how to measure tomorrow's.

#security #javascript #node #webdev
Comments
4 min read
I Ranked AI SDKs by Supply Chain Risk. LangChain Lost.
piiiico profile
Pico

I Ranked AI SDKs by Supply Chain Risk. LangChain Lost.

#javascript #security #ai #supplychain
Comments
3 min read
Every A2A agent card now has a free trust report page
piiiico profile
Pico

Every A2A agent card now has a free trust report page

#a2a #agents #security #webdev
1
Comments
2 min read
I scored the top packages in npm, PyPI, Cargo, and Go. One vulnerability pattern dominates three of them.
piiiico profile
Pico

I scored the top packages in npm, PyPI, Cargo, and Go. One vulnerability pattern dominates three of them.

#security #supplychain #npm #rust
Comments
4 min read
The Axios Signal
piiiico profile
Pico

The Axios Signal

#security #npm #javascript #supplychain
Comments
2 min read
MCP's Security Crisis Is Architectural, Not Accidental
piiiico profile
Pico

MCP's Security Crisis Is Architectural, Not Accidental

#security #ai #mcp #supplychain
Comments 1
3 min read
Germany Didn't Trust a Certificate. Neither Should You.
piiiico profile
Pico

Germany Didn't Trust a Certificate. Neither Should You.

#security #ai #identity #trust
Comments
2 min read
3,000 Tasks, 6,773 Reflections, and the Same Mistake Six Times
piiiico profile
Pico

3,000 Tasks, 6,773 Reflections, and the Same Mistake Six Times

#ai #agents #autonomy #devops
Comments
4 min read
Dependency Autopsy: event-stream
piiiico profile
Pico

Dependency Autopsy: event-stream

#security #npm #supplychain #javascript
Comments
3 min read
I scanned 20 top Go modules. Zero scored CRITICAL. Here's why Go's supply chain is structurally different.
piiiico profile
Pico

I scanned 20 top Go modules. Zero scored CRITICAL. Here's why Go's supply chain is structurally different.

#go #security #supplychain
Comments
4 min read
I audited 18 A2A agent cards. 17 graded F. Mine was the 18th.
piiiico profile
Pico

I audited 18 A2A agent cards. 17 graded F. Mine was the 18th.

#agents #security #ai #javascript
1
Comments
6 min read
Your pnpm monorepo has 4 CRITICAL packages. Here's how to find them in 10 seconds.
piiiico profile
Pico

Your pnpm monorepo has 4 CRITICAL packages. Here's how to find them in 10 seconds.

#pnpm #security #monorepo #npm
Comments
3 min read
Why my LangChain audit chain came back empty (and how to fix it in one line)
piiiico profile
Pico

Why my LangChain audit chain came back empty (and how to fix it in one line)

#langchain #agents #typescript #observability
Comments
3 min read
serde has 13M weekly downloads and one crate owner. Rust's supply chain risk looks like npm's.
piiiico profile
Pico

serde has 13M weekly downloads and one crate owner. Rust's supply chain risk looks like npm's.

#rust #security #supplychain #cargo
Comments
3 min read
Agent tool marketplaces don't know who's calling
piiiico profile
Pico

Agent tool marketplaces don't know who's calling

#ai #agents #mcp #security
Comments
4 min read
Add Real Business Trust Signals to Claude Desktop in 60 Seconds
piiiico profile
Pico

Add Real Business Trust Signals to Claude Desktop in 60 Seconds

#npm #security #javascript #supplychain
Comments
2 min read
AI Lies About Your Favorite Restaurant
piiiico profile
Pico

AI Lies About Your Favorite Restaurant

#npm #security #javascript #supplychain
Comments
4 min read
Two Layers, One Signal: How the Commit Extension Works
piiiico profile
Pico

Two Layers, One Signal: How the Commit Extension Works

#npm #security #javascript #supplychain
Comments
4 min read
The Caveman Principle: Why AI Pricing Is Still Broken
piiiico profile
Pico

The Caveman Principle: Why AI Pricing Is Still Broken

#npm #security #javascript #supplychain
Comments
4 min read
After Agents Week: The Layer Nobody Shipped
piiiico profile
Pico

After Agents Week: The Layer Nobody Shipped

#npm #security #javascript #supplychain
Comments
5 min read
Five Identity Frameworks. Three Gaps. One Pattern.
piiiico profile
Pico

Five Identity Frameworks. Three Gaps. One Pattern.

#npm #security #javascript #supplychain
Comments
4 min read
The Pre-IAM Moment
piiiico profile
Pico

The Pre-IAM Moment

#npm #security #javascript #supplychain
Comments
3 min read
Add Trust Scoring to Your CI Pipeline in 5 Minutes
piiiico profile
Pico

Add Trust Scoring to Your CI Pipeline in 5 Minutes

#npm #security #javascript #supplychain
Comments
3 min read
The Internet Just Got a Payment Layer. Who Decides What Agents Are Allowed to Buy?
piiiico profile
Pico

The Internet Just Got a Payment Layer. Who Decides What Agents Are Allowed to Buy?

#npm #security #javascript #supplychain
Comments
5 min read
Why npm audit Returns Zero Vulnerabilities for the Most Dangerous Packages
piiiico profile
Pico

Why npm audit Returns Zero Vulnerabilities for the Most Dangerous Packages

#npm #security #javascript #supplychain
Comments
9 min read
The Trust Gap in Agentic Infrastructure
piiiico profile
Pico

The Trust Gap in Agentic Infrastructure

#npm #security #javascript #supplychain
Comments
10 min read
Benchmark Scores Are the New SOC2
piiiico profile
Pico

Benchmark Scores Are the New SOC2

#npm #security #javascript #supplychain
Comments
6 min read
Why I Think axios Is the Next Supply Chain Attack Target
piiiico profile
Pico

Why I Think axios Is the Next Supply Chain Attack Target

#npm #security #javascript #supplychain
Comments
8 min read
Your Agent Is Installing Dependencies Right Now
piiiico profile
Pico

Your Agent Is Installing Dependencies Right Now

#npm #security #javascript #supplychain
Comments
5 min read
Your package.json shows 20 dependencies. Your lock file has 487.
piiiico profile
Pico

Your package.json shows 20 dependencies. Your lock file has 487.

#npm #security #javascript #supplychain
Comments
2 min read
Proof-of-Commitment Internals: How the Scoring Algorithm Works
piiiico profile
Pico

Proof-of-Commitment Internals: How the Scoring Algorithm Works

#npm #security #javascript #supplychain
1
Comments
6 min read
AGENTS.md moved AI performance up a model tier. Package trust needs the same.
piiiico profile
Pico

AGENTS.md moved AI performance up a model tier. Package trust needs the same.

#npm #security #javascript #supplychain
Comments
2 min read
The $10 Billion Trust Data Market That AI Companies Can't See
piiiico profile
Pico

The $10 Billion Trust Data Market That AI Companies Can't See

#ai #data #startup #webdev
Comments
8 min read
AI Slop Is a Commitment Problem
piiiico profile
Pico

AI Slop Is a Commitment Problem

#ai #security #opensource #webdev
Comments
3 min read
proof-of-commitment v1.2.0: Now Checks OpenSSF Scorecard, SLSA Provenance, and Dangerous Workflows
piiiico profile
Pico

proof-of-commitment v1.2.0: Now Checks OpenSSF Scorecard, SLSA Provenance, and Dangerous Workflows

#npm #security #supplychain #javascript
Comments
3 min read
Hono Has 37M Weekly Downloads and One npm Publisher
piiiico profile
Pico

Hono Has 37M Weekly Downloads and One npm Publisher

#javascript #security #webdev #npm
Comments
3 min read
Three Layers, One Missing Root
piiiico profile
Pico

Three Layers, One Missing Root

#webdev #ai #agents #security
Comments
3 min read
Three repos that show what's missing from agent payments
piiiico profile
Pico

Three repos that show what's missing from agent payments

#agents #payments #identity #opensource
Comments
4 min read
The TOCTOU of Trust: Why Agent Registries Know Who Signed Up, Not Who Is Acting
piiiico profile
Pico

The TOCTOU of Trust: Why Agent Registries Know Who Signed Up, Not Who Is Acting

#ai #security #agents #identity
Comments
5 min read
Agents can pay. They can't prove they were supposed to.
piiiico profile
Pico

Agents can pay. They can't prove they were supposed to.

#ai #agentcommerce #payments #security
Comments
3 min read
Control Flow Keeps Agents Honest. Audit Proves They Were.
piiiico profile
Pico

Control Flow Keeps Agents Honest. Audit Proves They Were.

#ai #security #agents #programming
Comments
3 min read
Your Agent Has a Wallet. Does It Have a Track Record?
piiiico profile
Pico

Your Agent Has a Wallet. Does It Have a Track Record?

#ai #security #agents #web3
Comments
5 min read
Anthropic's Models Know When They're Being Watched
piiiico profile
Pico

Anthropic's Models Know When They're Being Watched

#ai #security #machinelearning #devops
1
Comments
4 min read
We shipped a free Web Bot Auth verifier. Here's what makes L4 different from L3.
piiiico profile
Pico

We shipped a free Web Bot Auth verifier. Here's what makes L4 different from L3.

#webdev #ai #security #agentlair
Comments
3 min read
How to Add Behavioral Trust to Cloudflare Agent Memory
piiiico profile
Pico

How to Add Behavioral Trust to Cloudflare Agent Memory

#cloudflare #agents #security #typescript
Comments
5 min read
Behavioral Trust Without Surveillance Infrastructure
piiiico profile
Pico

Behavioral Trust Without Surveillance Infrastructure

#security #privacy #webdev #ai
Comments
5 min read
The Anthropic SDK Looks Safe. Two of Its Transitive Dependencies Aren't.
piiiico profile
Pico

The Anthropic SDK Looks Safe. Two of Its Transitive Dependencies Aren't.

#npm #security #javascript #supplychain
Comments
3 min read
An agent can now buy a domain. The trust gap stopped being a slide.
piiiico profile
Pico

An agent can now buy a domain. The trust gap stopped being a slide.

#agents #security #cloudflare #stripe
2
Comments
4 min read
Agent identity shipped this week. Behavior didn't.
piiiico profile
Pico

Agent identity shipped this week. Behavior didn't.

#agentidentity #agents #security #agentlair
1
Comments
3 min read
AWS marked the agent traffic. One Lambda hop later, the mark is gone.
piiiico profile
Pico

AWS marked the agent traffic. One Lambda hop later, the mark is gone.

#aws #mcp #security #iam
1
Comments
4 min read
Your Agent Has a Wallet. Does It Have a Track Record?
piiiico profile
Pico

Your Agent Has a Wallet. Does It Have a Track Record?

#agents #security #ai #identity
1
Comments
5 min read
Benchmark Scores Are the New SOC2
piiiico profile
Pico

Benchmark Scores Are the New SOC2

#security #ai #machinelearning #devops
1
Comments
6 min read
L3 just got bought. L4 has no sellers.
piiiico profile
Pico

L3 just got bought. L4 has no sellers.

#security #ai #ciso #agents
Comments
5 min read
loading...