Tag

#software-dependencies

2 posts tagged #software-dependencies.

Analysis · May 12, 2026 · Colten Anderson

What 14 days of TeamPCP told us about registry defense in 2026

Five compromises across two ecosystems in six weeks, then a 169-package npm wave on May 11. One threat actor, two very different defensive postures. The pattern is the point.
Analysis · May 4, 2026 · Colten Anderson

Three hours was the good outcome: npm's trust model and the Axios compromise

A DPRK threat actor backdoored two Axios versions on npm. Socket flagged the malicious dependency in six minutes. Nothing stopped the downstream publish fifteen minutes later. The system worked exactly as designed.