Back to tags
#supply-chain
every dependency you didn't write, audit, or notice — until one of them notices you.
3 blog posts.
Blog posts
Identity, network, default creds, attestation, audit logs — the controls that close most of the gap Parts 1 and 2 left.
Hardening GitHub Actions for small teams. SHA pinning, OIDC, cooldowns, and the trigger Future You at 3am should not touch.
A startup-grade defense against npm supply-chain attacks, written for Future You at 3am. Chainjacking, postinstall scripts, and the smallest install that…