- security
- open-source
- postmortem
The Day SLSA Provenance Lied
A 6-minute window on May 11 broke a signal the supply-chain world had treated as clean: valid SLSA attestation on 84 malicious npm packages.
A 6-minute window on May 11 broke a signal the supply-chain world had treated as clean: valid SLSA attestation on 84 malicious npm packages.
Scoped delegation with cascading revocation, depth limits, and per-agent audit trails in TypeScript. Concrete code, not just theory.
A Vercel employee clicked Allow All on an AI app's OAuth consent screen. Three weeks later, customer environment variables were on a hacker's drive with a two-million-dollar asking price.