Skip to content
SecurityProgramming

Developer Warns That Every Dependency Is a Supply Chain Attack Waiting to Happen

tldr / devops 20h ago 7

Software developer Ben Hoyt warns that third-party libraries—including dev dependencies—pose serious supply chain risks, citing the XZ backdoor, Trivy, and LiteLLM incidents. He argues that automatic updates via tools like Dependabot often introduce more vulnerabilities than they fix, as updated code rarely receives the same scrutiny as initial additions. He advises minimizing dependencies, disabling automated updaters, and carefully evaluating every library before adding it to a project.

Read full article →

More Security

OpenAI Ships Million-Line Product Written Entirely by Codex Agents

hackernews / top 1d ago 9

OpenAI details building and shipping a full product with zero manually-written code using Codex agents, achieving roughly 10x speed and redefining engineering as steering rather than coding.

Anthropic embeds engineers in NSA to deploy Mythos for offensive cyber operations

tldr / ai 20h ago 9

Anthropic embedded engineers in the NSA to deploy its unreleased Mythos AI for offensive cyber operations, even as it sues the Pentagon over military AI restrictions.

GitHub scrubs 70+ Microsoft repos as Miasma worm breaks CI/CD pipelines

theregister / security 6h ago 9

GitHub disabled 70+ Microsoft repos in under two minutes after the Miasma worm infected projects via compromised commits, breaking CI/CD pipelines and triggering RCE in developer tools.