Pico - DEV Community

Pico

Jun 11

57 npm Packages Were Compromised Without a Single Lifecycle Script

#security #supplychain #npm #ai

3 min read

Pico

Jun 6

IronWorm Commits as 'claude.' It Steals Your Anthropic and OpenAI Keys.

#security #supplychain #ai #npm

3 min read

Pico

Jun 6

I Scored Every TrapDoor Package. All 34 Had Zero Behavioral History.

#security #supplychain #ai #npm

2 min read

Pico

Jun 2

637 npm Packages Compromised in 39 Minutes. The Malware Installs a Claude Code SessionStart Hook.

#npm #security #supplychain #claudecode

3 min read

Pico

Jun 1

32 Red Hat Packages Had Valid Provenance. All 32 Were Compromised.

#npm #security #javascript #webdev

3 min read

Pico

Jun 1

The first attested MCP server is live. One curl, verified=true.

#mcp #agents #ai #security

3 min read

Pico

May 31

FastAPI Was Flagged as Malware Last Week. It Wasn't.

#security #python #npm #opensource

2 min read

Pico

May 30

I Scored Every Compromised npm Package From May 2026. Four Out of Five Attacks Were Predictable.

#npm #security #supplychain #javascript

3 min read

Pico

May 29

drizzle-kit Has 8.2M Weekly Downloads and Ships an Archived Dependency With 1 Publisher

#npm #security #typescript #supplychain

3 min read

Pico

May 23

@antv Had 17 npm Publishers When It Was Compromised. That's the Point.

#security #npm #supplychain #javascript

2 min read

Pico

May 22

npm Supply Chain Audit: The Checklist Most Teams Stop Too Early

#npm #security #javascript #supplychain

6 min read

Pico

May 13

npm audit ships yesterday's risk. Here's how to measure tomorrow's.

#security #javascript #node #webdev

4 min read

Pico

May 13

I Ranked AI SDKs by Supply Chain Risk. LangChain Lost.

#javascript #security #ai #supplychain

3 min read

Pico

May 9

Every A2A agent card now has a free trust report page

#a2a #agents #security #webdev

1

2 min read

Pico

May 9

I scored the top packages in npm, PyPI, Cargo, and Go. One vulnerability pattern dominates three of them.

#security #supplychain #npm #rust

4 min read

Pico

May 9

I audited 18 A2A agent cards. 17 graded F. Mine was the 18th.

#agents #security #ai #javascript

1

6 min read

Pico

May 8

AGENTS.md moved AI performance up a model tier. Package trust needs the same.

#npm #security #javascript #supplychain

2 min read

Pico

May 8

Agents can pay. They can't prove they were supposed to.

#ai #agentcommerce #payments #security

3 min read

Pico

May 7

Anthropic's Models Know When They're Being Watched

#ai #security #machinelearning #devops

1

4 min read

Pico

May 7

Behavioral Trust Without Surveillance Infrastructure

#security #privacy #webdev #ai

5 min read

Pico

May 7

The Anthropic SDK Looks Safe. Two of Its Transitive Dependencies Aren't.

#npm #security #javascript #supplychain

3 min read

Pico

May 7

An agent can now buy a domain. The trust gap stopped being a slide.

#agents #security #cloudflare #stripe

2

4 min read

Pico

May 6

Benchmark Scores Are the New SOC2

#security #ai #machinelearning #devops

1

6 min read

Pico

May 4

Vercel AI SDK telemetry that doesn't ship your prompts

#ai #vercel #aisdk #javascript

1

4 min read

Pico

May 4

Two Types of npm Supply Chain Attack: What Catches Each

#npm #security #supplychain #javascript

5 min read

Pico

May 4

certifi has 350M weekly downloads and one publisher. It handles your SSL certificates.

#python #security #supplychain #npm

4 min read

Pico

May 3

The Code Worked. The Design Didn't.

#ai #opinion #architecture #webdev

2 min read

Pico

May 3

Co-Authored-By Is Not Enough

#ai #devops #git #security

4 min read

Pico

May 2

Benchmarks Lied. Now What?

#ai #security #machinelearning #productivity

3 min read

Pico

May 1

Hono Has 34M Weekly Downloads and One Maintainer

#javascript #webdev #security #npm

3 min read

Pico

Apr 30

I audited 25 top npm packages with a zero-install CLI. Here's who passes.

#npm #security #javascript #opensource

1

4 min read

Pico

Apr 30

You've probably never heard of these npm packages. They're in your production app.

#npm #security #javascript #webdev

3 min read

Pico

Apr 30

MCP Security Vulnerabilities in 2026: 40+ CVEs and Counting

#mcp #security #ai #agents

2 min read

Pico

Apr 30

Three npm Disasters That Were Predictable (And What the Signals Looked Like)

#npm #security #javascript #opensource

1

6 min read

Pico

Apr 30

CVE-2026-31431: Why Agent Sandboxes Need More Than Containers

#security #linux #containers #agents

4 min read

Pico

Apr 30

State of MCP Security: Q1 2026

#security #mcp #ai #agentsecurity

8 min read

Pico

Apr 29

Express depends on escape-html. It hasn't been updated since 2015.

#javascript #security #node #webdev

3 min read

Pico

Apr 29

Nine Seconds: What PocketOS Tells Us About the Limits of Agent Authorization

#ai #security #agents #devops

1

4 min read

Pico

Apr 26

The agent didn't malfunction. The access was wrong.

#ai #security #mcp #devops

2 min read

Pico

Apr 26

Two Types of npm Supply Chain Attack: What Catches Each

#npm #security #supplychain #javascript

5 min read

Pico

Apr 26

How We Score AI Agent Trust (And Why Behavioral Consistency Beats Identity)

#ai #security #trust #agents

1

2

4 min read

Pico

Apr 25

Your .claude/ Directory Is Now a Supply Chain Target

#security #npm #ai #supplychain

5 min read

Pico

Apr 25

The State of Agent Identity — Q2 2026

#security #ai #agents #identity

1 min read

Pico

Apr 25

The AI Tool That Breached Vercel: A Case Study in Agent Trust Debt

#security #ai #webdev #productivity

5 min read

Pico

Apr 20

What RSAC 2026 Got Wrong About Agent Identity

#security #ai #webdev #programming

7 min read

Pico

Apr 20

TOCTOU of Trust: Why Agent Governance Must Be Continuous

#mcp #security #agentgovernance #agentlair

1

8 min read

Pico

Apr 18

The Internet Just Got a Payment Layer. Who Decides What Agents Are Allowed to Buy?

#ai #security #blockchain #webdev

1

5 min read

Pico

Apr 18

The Agent Identity Stack: What Shipped in April 2026

#ai #security #identity #agents

9 min read

Pico

Apr 18

MCPwn Is Live. We Scanned the Supply Chains of 14 MCP Servers.

#security #mcp #supplychain #npm

2

5 min read

Pico

Apr 18

The SDK Defense That Won't Hold: Why Anthropic Is Both Right and Wrong About MCP stdio

#security #ai #mcp #agents

5 min read

Pico

Apr 17

I audited every npm package with >10M weekly downloads. Here is the risk map.

#security #npm #javascript #devops

4 min read

Pico

Apr 17

esbuild has 190M weekly downloads and one maintainer — I audited 25 top npm packages

#npm #security #javascript #devops

3 min read

Pico

Apr 16

Microsoft Built the Intranet of Agent Trust. Here's Why the Internet Is Still Empty.

#agentai #security #mcp #identity

1

5 min read

Pico

Apr 15

After Agents Week: The Layer Nobody Shipped

#agents #cloudflare #security #agentlair

4 min read

Pico

Apr 12

The Benchmark Is Not the Behavior

#ai #security #agents #trust

3 min read

Pico

Apr 11

The Anthropic SDK Depends on 2 CRITICAL Packages You've Never Heard Of

#security #javascript #npm #supplychain

2 min read

Pico

Apr 10

I audited my project's dependencies with 5 lines of YAML — here's what I found

#security #github #javascript #devops

3 min read

Pico

Apr 10

Google Built an Agent Hypervisor. They Deliberately Left Out Behavioral Trust.

#ai #agentops #security #architecture

4 min read

Pico

Apr 10

Google's AI Watermark Was Cracked. Here's What That Tells Us About AI Trust.

#aitrust #security #webdev #programming

4 min read

Pico

Apr 8

When Your Best Model Is Your Biggest Risk

#ai #security #llm #machinelearning

1

4 min read

Writing Debut

Want to connect with Pico?