Supply-chain teardowns
The teardown of the next package attack, in your inbox
When a malicious package makes it into npm, PyPI, or a registry your team pulls from, we write up exactly how it got in — the install hook, the maintainer hijack, the typosquat — and the enforcement that would have stopped it at the install boundary. One email per incident. No newsletter.
What lands in your inbox
Mechanism, not headlines
Most incident coverage stops at "a bad package was published." A teardown is the part that's actually useful to a security team: how it reached your developers, and the control that would have caught it.
-
The install-path angle
Every teardown reconstructs how the malicious package actually reached developers — the install hook, the typosquat, the hijacked maintainer — not just the CVE number everyone else reprints.
-
Only when it's real
No newsletter, no drip sequence, no 'we wanted to check in.' One email when an incident worth dissecting actually lands. Quiet months stay quiet.
-
What would have caught it
Each write-up ends with the concrete enforcement that would have blocked it at the install boundary — a policy you can copy, not a vendor pitch.
-
Your data stays yours
Your email goes into our own infrastructure, not a third-party email platform. Same sovereignty stance as the product. Unsubscribe in one click.