Supply-chain teardowns

The teardown of the next package attack, in your inbox

When a malicious package makes it into npm, PyPI, or a registry your team pulls from, we write up exactly how it got in — the install hook, the maintainer hijack, the typosquat — and the enforcement that would have stopped it at the install boundary. One email per incident. No newsletter.

One email per teardown — only when a real supply-chain incident lands. No newsletter. See our privacy policy.

What lands in your inbox

Mechanism, not headlines

Most incident coverage stops at "a bad package was published." A teardown is the part that's actually useful to a security team: how it reached your developers, and the control that would have caught it.

  • The install-path angle

    Every teardown reconstructs how the malicious package actually reached developers — the install hook, the typosquat, the hijacked maintainer — not just the CVE number everyone else reprints.

  • Only when it's real

    No newsletter, no drip sequence, no 'we wanted to check in.' One email when an incident worth dissecting actually lands. Quiet months stay quiet.

  • What would have caught it

    Each write-up ends with the concrete enforcement that would have blocked it at the install boundary — a policy you can copy, not a vendor pitch.

  • Your data stays yours

    Your email goes into our own infrastructure, not a third-party email platform. Same sovereignty stance as the product. Unsubscribe in one click.