u/Glittering-Bet-7570

Hey all! Sharing this week's issue I wrote on the TeamPCP supply chain compromise.

84 malicious npm versions, 160+ packages hit across ecosystems, all properly signed. Nothing looked wrong on paper. That's exactly the problem.

Covered CI/CD cache poisoning, OIDC abuse, and why the "just sign your packages" narrative is starting to show its limits. Provenance is necessary, but it's not sufficient.

Curious how people here are actually handling pipeline integrity checks. Feels massively underrated compared to the signing conversation.

Link in comments