Nicholas Zakas, ESLint's creator, isn't mincing words: GitHub's npm security moves are 'table stakes,' not solutions. One big attack could shatter JavaScript's package empire.
Telnyx, a Python package pulled 790,000 times monthly, just got weaponized by TeamPCP attackers. It's proof your CI/CD pipeline isn't backend plumbing—it's the front line.
Picture this: your kubeconfig quietly firing off a shady script on your machine. Kubernetes 1.35 slams the door with an exec plugin allowlist, handing you god-mode control over credential plugins.
CI/CD's wild west ends in 2026. GitHub's dropping lockfiles and centralized policies to make Actions secure by default — no more supply chain roulette.
Every day, 30,000 packages hit npm—hundreds laced with malware. GitHub's cracking down on supply chain attacks starting in Actions workflows.
Axios — downloaded 83 million times weekly — got backdoored by Lazarus Group. Three hours was enough to infect countless builds. Time to ditch blind trust.