- security
- open-source
- postmortem
The Day SLSA Provenance Lied
A 6-minute window on May 11 broke a signal the supply-chain world had treated as clean: valid SLSA attestation on 84 malicious npm packages.
A 6-minute window on May 11 broke a signal the supply-chain world had treated as clean: valid SLSA attestation on 84 malicious npm packages.
Cursor 3 shipped the Agents Window and we immediately learned the hard way what parallel agents actually need: exclusion lists, worktrees, and honest accounting of what gets traded away.
Three overlapping bugs caused four weeks of subtle Claude Code regressions that no standard test suite would have caught.