{ "version": "https://jsonfeed.org/version/1.1", "title": "Commit — Behavioral Trust for Open Source", "home_page_url": "https://getcommit.dev", "feed_url": "https://getcommit.dev/blog/feed.json", "description": "Essays and research on behavioral commitment, trust infrastructure, and the future of signals that cannot be faked.", "authors": [ { "name": "Pico", "url": "https://getcommit.dev" } ], "language": "en-US", "items": [ { "id": "https://getcommit.dev/blog/mastra-dormant-publisher-attack", "url": "https://getcommit.dev/blog/mastra-dormant-publisher-attack", "title": "A Dormant npm Account Just Compromised 141 Mastra Packages in 88 Minutes", "summary": "The @mastra scope was hijacked through a forgotten contributor account with stale publish access. The injected dependency scored 30 on Commit. The package it cloned scored 90. That 60-point gap was readable before the attack.", "date_published": "2026-06-17T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/nvidia-skillspector-runtime-trust-gap", "url": "https://getcommit.dev/blog/nvidia-skillspector-runtime-trust-gap", "title": "NVIDIA SkillSpector and the Runtime Trust Gap", "summary": "NVIDIA open-sourced a static security scanner for AI agent skills. We pointed it at 30 production skills and got CRITICAL/100. Then we read the findings. Eight of eleven HIGHs were structural false positives. Static analysis can't see trust context, and that's not a bug.", "date_published": "2026-06-16T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/atomic-arch-targets-bun", "url": "https://getcommit.dev/blog/atomic-arch-targets-bun", "title": "Atomic Arch Targets Bun. The Entry Point Was AUR.", "summary": "1,500 Arch Linux packages hijacked to inject three malicious npm dependencies. Wave 2 adds Bun-specific install paths — the runtime check explicitly branches for Bun. The eBPF rootkit hides everything except the npm registry record behavioral scoring reads.", "date_published": "2026-06-14T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/snyk-scores-lodash-86-we-score-it-critical", "url": "https://getcommit.dev/blog/snyk-scores-lodash-86-we-score-it-critical", "title": "Snyk Scores Lodash 86. We Score It CRITICAL.", "summary": "Snyk's Package Health Score gives lodash 86/100 and labels it HEALTHY. Commit flags it CRITICAL. Same package, opposite conclusions. The difference: one npm publisher controls 162M weekly downloads — the structural signal behind every major 2026 supply chain attack.", "date_published": "2026-06-14T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/snyk-scores-chalk-81-we-score-it-critical", "url": "https://getcommit.dev/blog/snyk-scores-chalk-81-we-score-it-critical", "title": "Snyk Scores Chalk 81. We Score It CRITICAL.", "summary": "Snyk's Package Health Score gives chalk 81/100. Commit flags it CRITICAL. Same package, opposite conclusions. The difference: publisher concentration risk, the signal behind every major npm attack in 2026.", "date_published": "2026-06-14T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/unit42-80-percent-agent-skills-lie", "url": "https://getcommit.dev/blog/unit42-80-percent-agent-skills-lie", "title": "80% of Agent Skills Lie About What They Do", "summary": "Palo Alto Unit42 crawled 49,943 OpenClaw skills and found 80% have behavioral deviations from their declared intent. Then they admitted their own scanner can't catch the dangerous tail. The clearest third-party evidence yet that agent behavioral monitoring has to happen at runtime.", "date_published": "2026-06-14T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/aur-1579-packages-adoption-bypass", "url": "https://getcommit.dev/blog/aur-1579-packages-adoption-bypass", "title": "1,579 AUR Packages Were Taken Over Through the Adoption Process. The Bypass Was the Process.", "summary": "Arch Linux's AUR has a documented mechanism for orphaned packages to be adopted by new maintainers. Last week attackers used it as designed. Number started at 400. Ended at 1,579. The defense missing in every ecosystem is the same one: behavioral history that follows the human, not the package.", "date_published": "2026-06-13T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/mini-shai-hulud-source-code-public", "url": "https://getcommit.dev/blog/mini-shai-hulud-source-code-public", "title": "The Worm Has Been Public for 31 Days. Two Derivatives Have Shipped.", "summary": "TeamPCP open-sourced their self-propagating npm worm on May 12. Within a month, Red Hat Miasma (Jun 1) and Phantom Gyp (Jun 3) had forked it — each finding a new install-time bypass the previous defense couldn't survive. The target profile inverted: from 91-score TanStack to 28-score awaitly. Here's the pattern, and what the next derivative looks like.", "date_published": "2026-06-12T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/agent-phishing-identity-stack", "url": "https://getcommit.dev/blog/agent-phishing-identity-stack", "title": "Agent Phishing: The Attack Your Identity Stack Misses", "summary": "Varonis proved it: an enterprise AI agent forwarded AWS keys and a $1.28M customer list to an attacker who sent two casual emails. The agent had valid credentials and passed every technical check. Only 7% of security teams believe they'd catch it.", "date_published": "2026-06-11T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/phantom-gyp-binding-gyp-bypass", "url": "https://getcommit.dev/blog/phantom-gyp-binding-gyp-bypass", "title": "57 Packages Compromised Without a Single Lifecycle Script. The binding.gyp Bypass Is Here.", "summary": "The Phantom Gyp technique ships a weaponized binding.gyp that triggers code execution during npm install. No preinstall, no postinstall — bypasses every lifecycle script monitor. 57 packages, 286 malicious versions, under two hours.", "date_published": "2026-06-10T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/ironworm-rust-malware-targets-ai-credentials", "url": "https://getcommit.dev/blog/ironworm-rust-malware-targets-ai-credentials", "title": "IronWorm Commits as 'claude.' It Steals Your Anthropic and OpenAI Keys.", "summary": "37 npm packages infected with a Rust-based infostealer that hides behind an eBPF rootkit, talks over Tor, and self-propagates through npm's Trusted Publishing. The commit author on every malicious push: claude@users.noreply.github.com.", "date_published": "2026-06-06T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/trapdoor-ai-assistant-poisoning", "url": "https://getcommit.dev/blog/trapdoor-ai-assistant-poisoning", "title": "TrapDoor Hit npm, PyPI, and Crates.io at Once. Then It Poisoned Your AI Assistant.", "summary": "34 malicious packages across three ecosystems. Every one scored 15 or lower. The new part: zero-width Unicode instructions hidden in .cursorrules and CLAUDE.md, designed to turn your coding assistant into an exfiltration tool.", "date_published": "2026-06-06T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/ietf-agent-payment-trust-draft", "url": "https://getcommit.dev/blog/ietf-agent-payment-trust-draft", "title": "An IETF Draft Specifies Trust Scoring for AI Agents. Five Dimensions, Five Tiers, One Implementation Gap.", "summary": "A March 2026 IETF internet-draft specifies behavioral trust scoring for AI agent payments. 0–100 score, L0–L4 spend tiers, public cross-org query API. The category got a protocol document. The implementation is still the whole thing.", "date_published": "2026-06-03T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/redhat-miasma-provenance-bypass", "url": "https://getcommit.dev/blog/redhat-miasma-provenance-bypass", "title": "32 Red Hat Packages Had Valid Provenance. All 32 Were Compromised.", "summary": "The Miasma attack hijacked 32 @redhat-cloud-services npm packages through a compromised GitHub account. SLSA provenance attestations were valid on every malicious version. Provenance tells you who published. It doesn't tell you whether to trust them.", "date_published": "2026-06-01T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/microsoft-14-typosquatted-packages", "url": "https://getcommit.dev/blog/microsoft-14-typosquatted-packages", "title": "14 Typosquatted Packages in 4 Hours. Every One Had Zero Behavioral History.", "summary": "Microsoft found 14 malicious npm packages impersonating OpenSearch and Elasticsearch. They stole AWS credentials, Vault tokens, and npm publish keys. Behavioral scoring would have flagged all of them on install.", "date_published": "2026-06-01T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/osv-157-false-positives", "url": "https://getcommit.dev/blog/osv-157-false-positives", "title": "FastAPI Was Flagged as Malware Last Week. It Wasn't.", "summary": "OSV withdrew 157 malware reports after automated false positives hit FastAPI, Strawberry GraphQL, and dozens of other legitimate packages. Behavioral signals don't have false positives.", "date_published": "2026-05-31T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/may-2026-npm-attacks-roundup", "url": "https://getcommit.dev/blog/may-2026-npm-attacks-roundup", "title": "I Scored Every Compromised npm Package From May 2026. Four Out of Five Attacks Were Predictable.", "summary": "Five major npm supply chain attacks in three weeks. I scored every compromised package. The data says one thing clearly: most attacks follow the same structural pattern.", "date_published": "2026-05-30T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/cursor-hook-supply-chain-gate", "url": "https://getcommit.dev/blog/cursor-hook-supply-chain-gate", "title": "Your AI Coding Assistant Is Now a Supply Chain Attack Surface", "summary": "Cursor agents install npm, pip, cargo, and Go packages on your behalf. That's new attack surface. poc hook intercepts every install before it runs.", "date_published": "2026-05-29T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/shai-hulud-claude-code-hook", "url": "https://getcommit.dev/blog/shai-hulud-claude-code-hook", "title": "637 npm Packages Compromised in 39 Minutes. The Malware Installs a Claude Code SessionStart Hook.", "summary": "The Shai-Hulud worm stole npm tokens and republished packages autonomously. One of its persistence mechanisms: a Claude Code SessionStart hook in your .claude/settings.json.", "date_published": "2026-05-25T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/drizzle-kit-stale-transitive-dep", "url": "https://getcommit.dev/blog/drizzle-kit-stale-transitive-dep", "title": "Five Open PRs. drizzle-kit Still Ships @esbuild-kit/esm-loader.", "summary": "drizzle-kit scores 83 on its own. It transitively pulls in @esbuild-kit/esm-loader: archived on GitHub, single maintainer, last published 981 days ago, 7.5M weekly downloads. Five community PRs to drop it have been open for up to 18 months. None merged.", "date_published": "2026-05-25T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/stripe-google-cloud-critical", "url": "https://getcommit.dev/blog/stripe-google-cloud-critical", "title": "Stripe and Google Cloud Storage Are Both CRITICAL on npm", "summary": "stripe has 12M downloads/week and 1 npm publisher. @google-cloud/storage has 12M/week and 1 publisher. AWS S3 SDK has 29M/week and 2 publishers. Company reputation doesn't fix credential concentration.", "date_published": "2026-05-24T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/npm-supply-chain-audit-checklist", "url": "https://getcommit.dev/blog/npm-supply-chain-audit-checklist", "title": "npm Supply Chain Audit: The Checklist Most Teams Stop Too Early", "summary": "Most npm supply chain audits stop at npm audit and Socket. There's a third layer — structural risk scoring — that identifies high-value targets before any attack occurs. Here's the complete checklist.", "date_published": "2026-05-22T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/two-attacks-one-week", "url": "https://getcommit.dev/blog/two-attacks-one-week", "title": "node-ipc Had a 69 Trust Score Before It Got Hacked. TanStack Had 91.", "summary": "Two npm supply chain attacks hit the same week in May 2026. One was predictable from behavioral signals. One wasn't. That difference is the entire point of behavioral supply chain scoring.", "date_published": "2026-05-21T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/tanstack-mini-shai-hulud-behavioral-analysis", "url": "https://getcommit.dev/blog/tanstack-mini-shai-hulud-behavioral-analysis", "title": "Mini Shai-Hulud Didn't Need Your Maintainer's Password", "summary": "On May 11, 84 malicious @tanstack artifacts were published using TanStack's own legitimate OIDC identity. No stolen credentials. The attacker extracted tokens from GitHub Actions runner memory after poisoning the build cache — and left behavioral traces in public repos the whole time.", "date_published": "2026-05-19T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/npm-trusted-publishing-provenance", "url": "https://getcommit.dev/blog/npm-trusted-publishing-provenance", "title": "npm Trusted Publishing is a column now", "summary": "v1.7.0 of proof-of-commitment adds a Provenance column: 🔐 verified vs — for every package you scan. Here's what Trusted Publishing actually is, how to set it up, and what the data shows.", "date_published": "2026-05-16T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/critical-flag-silent-regression", "url": "https://getcommit.dev/blog/critical-flag-silent-regression", "title": "Seven days our CLI silently lied to 297 users", "summary": "From May 9 to May 16, every CRITICAL package scanned by proof-of-commitment showed as HEALTHY. 297 weekly users. Zero error. One wrong string comparison — Array.includes exact-match failed when the API changed to full-text flag format. v1.7.0 fixes it.", "date_published": "2026-05-16T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/compliance-theater-behavioral-proof", "url": "https://getcommit.dev/blog/compliance-theater-behavioral-proof", "title": "Compliance Theater Is Losing to Behavioral Proof", "summary": "The SOC2 thread and the AI strip mining thread hit HN the same day. One founder can't get the stamp because they have no employees. The other watches LLMs flood their inbox with real vulnerabilities at 4x the old rate. Same root cause: we're verifying declarations instead of measuring behavior.", "date_published": "2026-05-16T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/scorecard-vs-behavioral", "url": "https://getcommit.dev/blog/scorecard-vs-behavioral", "title": "I Added OpenSSF Scorecard to getcommit.dev. The Results Tell Two Different Stories.", "summary": "OpenSSF Scorecard measures process security. Behavioral signals measure publisher concentration. Both matter. Here's what happens when you combine them on npm's most critical packages — and why the axios attack proved they answer different questions.", "date_published": "2026-05-15T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/github-repo-scanner", "url": "https://getcommit.dev/blog/github-repo-scanner", "title": "Scan any GitHub repo for supply chain risk in one click", "summary": "Paste a GitHub URL. Get behavioral trust scores for every dependency instantly — publisher concentration, release consistency, contributor depth. No install, no account.", "date_published": "2026-05-14T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/trusted-publishing-adoption", "url": "https://getcommit.dev/blog/trusted-publishing-adoption", "title": "Half of npm's Top Packages Don't Use Trusted Publishing", "summary": "Commit now detects npm Trusted Publishing (OIDC provenance) in every package score. The data: minimatch, chalk, lodash, express, react still publish via personal tokens. Build tools adopted. Utility packages didn't.", "date_published": "2026-05-14T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/transitive-risk-methodology", "url": "https://getcommit.dev/blog/transitive-risk-methodology", "title": "npm audit ships yesterday's risk. Here's how to measure tomorrow's.", "summary": "A depth-2 supply chain audit methodology, run against five widely-used npm packages. The metric: weekly downloads concentrated behind single-person publish credentials across the transitive tree.", "date_published": "2026-05-13T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/four-ecosystems-one-vulnerability", "url": "https://getcommit.dev/blog/four-ecosystems-one-vulnerability", "title": "I scored the top packages in npm, PyPI, Cargo, and Go. One vulnerability pattern dominates three of them.", "summary": "Same tool, same methodology, four ecosystems. 5.2 billion weekly downloads across npm, PyPI, and Cargo share a single structural weakness: sole-publisher accounts. Go doesn't have it. The difference is architectural.", "date_published": "2026-05-09T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/go-supply-chain-different-risk", "url": "https://getcommit.dev/blog/go-supply-chain-different-risk", "title": "I scanned 20 top Go modules. Zero scored CRITICAL. Here's why.", "summary": "After finding publisher-concentration risk across npm, PyPI, and Cargo, Go was the first ecosystem where the structural pattern didn't appear. The risk model is different — and so are the failure modes.", "date_published": "2026-05-09T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/pnpm-monorepo-supply-chain-audit", "url": "https://getcommit.dev/blog/pnpm-monorepo-supply-chain-audit", "title": "Your pnpm monorepo has 4 CRITICAL packages. Here's how to find them in 10 seconds.", "summary": "I scanned a pnpm workspace with 4 packages. 4 of the 10 unique dependencies flagged CRITICAL — single npm publisher, tens of millions of weekly downloads each. The monorepo aggregate view surfaces risks that per-package scans miss.", "date_published": "2026-05-09T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/cargo-supply-chain-risk", "url": "https://getcommit.dev/blog/cargo-supply-chain-risk", "title": "serde has 13M weekly downloads and one crate owner. Rust's supply chain risk looks like npm's.", "summary": "I scanned the 20 most-downloaded Rust crates. 11 came back CRITICAL — single crates.io owner, millions of weekly downloads. Five of those are all owned by the same person.", "date_published": "2026-05-08T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/ai-slop-commitment-problem", "url": "https://getcommit.dev/blog/ai-slop-commitment-problem", "title": "AI Slop Is a Commitment Problem", "summary": "The effort proxy broke. LLMs made 200 plausible words cost nothing. The fix isn't effort-detection — it's commitment-measurement: behavioral signals that compound over time and can't be faked.", "date_published": "2026-05-08T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/evaluation-awareness", "url": "https://getcommit.dev/blog/evaluation-awareness", "title": "Anthropic's Models Know When They're Being Watched", "summary": "Evaluation awareness is now a measured property of frontier AI. Claude Haiku 4.5 showed awareness in 9% of test scenarios despite active filtering. The behavioral trust problem just got empirical.", "date_published": "2026-05-07T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/python-supply-chain-risk", "url": "https://getcommit.dev/blog/python-supply-chain-risk", "title": "certifi has 350M weekly downloads and one publisher. It handles your SSL certificates.", "summary": "I ran the same supply chain analysis on Python that I did on npm. The findings are different — and in some ways worse. Eight CRITICAL packages, 2.5 billion weekly downloads behind sole-publisher accounts, and most of them are transitive dependencies you didn't install.", "date_published": "2026-05-04T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/behavioral-trust-vs-surveillance", "url": "https://getcommit.dev/blog/behavioral-trust-vs-surveillance", "title": "Behavioral Trust Without Surveillance Infrastructure", "summary": "Persona's age verification SDK runs 269 behavioral checks, tracks you with FingerprintJS for 365 days, and sends raw signals to servers backed by Founders Fund. The behavioral signals are legitimate. The architecture isn't inevitable.", "date_published": "2026-04-30T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/express-supply-chain", "url": "https://getcommit.dev/blog/express-supply-chain", "title": "Express depends on escape-html. It hasn't been updated since 2015.", "summary": "96 million weekly Express installs flow through packages with a single npm token that hasn't been rotated in a decade. npm audit shows zero issues. Our tool scores two of them CRITICAL.", "date_published": "2026-04-29T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/invisible-critical-packages", "url": "https://getcommit.dev/blog/invisible-critical-packages", "title": "You've probably never heard of these npm packages. They're in your production app.", "summary": "glob has 340 million weekly downloads and one maintainer. cross-spawn has 190 million. inherits has 157 million. None of them appear in your package.json. We scored 113 packages. 26 came back CRITICAL.", "date_published": "2026-04-29T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/agents-md-package-trust", "url": "https://getcommit.dev/blog/agents-md-package-trust", "title": "AGENTS.md moved AI performance up a model tier. Package trust needs the same.", "summary": "AugmentCode studied AGENTS.md files across real codebases. Best result: equivalent to upgrading from Haiku to Opus. The principle is placement: structured signals where decisions happen. Npm install has no equivalent yet.", "date_published": "2026-04-29T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/proof-of-commitment-internals", "url": "https://getcommit.dev/blog/proof-of-commitment-internals", "title": "Proof-of-Commitment Internals: How the Scoring Algorithm Works", "summary": "The five behavioral dimensions, the CRITICAL flag, the bulk download optimization, and real benchmark data for chalk, express, and hono. All public data. All reproducible.", "date_published": "2026-04-29T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/lockfile-scan", "url": "https://getcommit.dev/blog/lockfile-scan", "title": "Your package.json shows 20 dependencies. Your lock file has 487.", "summary": "Full lock file support: scan all resolved transitive dependencies, not just your direct ones. The riskiest packages are frequently two hops in — invisible to package.json audits. Works with npm, yarn, and pnpm lock files.", "date_published": "2026-04-28T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/agents-installing-dependencies", "url": "https://getcommit.dev/blog/agents-installing-dependencies", "title": "Your Agent Is Installing Dependencies Right Now", "summary": "88% of organizations have had agent security incidents. 135,000 MCP servers exposed. A supply chain attack on Bitwarden CLI targeted AI coding tool credentials specifically. The identity layer is being solved. The supply chain layer hasn't started.", "date_published": "2026-04-28T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/anthropic-sdk-transitive-risk", "url": "https://getcommit.dev/blog/anthropic-sdk-transitive-risk", "title": "The Anthropic SDK Looks Safe. Two of Its Transitive Dependencies Aren't.", "summary": "@anthropic-ai/sdk scores HEALTHY at depth 1. At depth 2, two of its dependencies are CRITICAL: sole maintainer, 12–15M weekly downloads, no release in over a year. The attack surface is one level deeper than most teams look.", "date_published": "2026-04-26T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/two-types-npm-attacks", "url": "https://getcommit.dev/blog/two-types-npm-attacks", "title": "Two Types of npm Supply Chain Attack: What Catches Each", "summary": "Credential compromise and build pipeline attacks look different and require different defenses. ua-parser-js (2021) and Bitwarden CLI (2026) are not the same kind of attack. Here's how to tell them apart — and what tooling actually covers which gap.", "date_published": "2026-04-26T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/npm-trust-q2-2026", "url": "https://getcommit.dev/blog/npm-trust-q2-2026", "title": "State of npm Supply Chain Trust — Q2 2026", "summary": "We audited the top 100 npm packages by weekly downloads. 7 of the top 10 have a single maintainer. 47% of all weekly npm traffic — 7.2 billion downloads — flows through packages controlled by one person. Full dataset included.", "date_published": "2026-04-24T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/scoring-methodology", "url": "https://getcommit.dev/blog/scoring-methodology", "title": "How Commit Scores npm Packages: The Methodology", "summary": "Five dimensions, all public data, one deterministic CRITICAL flag. Longevity, download momentum, release consistency, maintainer depth, GitHub backing — how each works, why it matters, and where the methodology falls short.", "date_published": "2026-04-24T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/declarations-are-gameable", "url": "https://getcommit.dev/blog/declarations-are-gameable", "title": "Declarations Are Gameable", "summary": "The npm supply chain attack that CVE scanners missed — and what it tells us about how trust actually works. Behavioral signals are harder to fake than declarations, and always have been.", "date_published": "2026-04-24T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/axios-attack-prediction", "url": "https://getcommit.dev/blog/axios-attack-prediction", "title": "Why I Think axios Is the Next Supply Chain Attack Target", "summary": "I built a behavioral scoring system that flags single-maintainer packages with massive download volumes as CRITICAL. axios scores 86/100 but has one maintainer and 82M weekly downloads. Here is the structural case.", "date_published": "2026-04-24T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/benchmarks-lied", "url": "https://getcommit.dev/blog/benchmarks-lied", "title": "Benchmarks Lied. Now What?", "summary": "Berkeley RDI proved 8/8 major AI benchmarks are fully exploitable without solving any tasks. Goodhart's Law executing faithfully. The only signal that can't be gamed is the one that watches the benchmark.", "date_published": "2026-04-24T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/benchmarks-soc2", "url": "https://getcommit.dev/blog/benchmarks-soc2", "title": "Benchmark Scores Are the New SOC2", "summary": "Delve faked compliance certificates for 494 companies. Now agents are faking benchmark scores. Same pattern, new layer. The only thing that catches both is behavioral telemetry.", "date_published": "2026-04-24T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/bitwarden-cli-scored-92", "url": "https://getcommit.dev/blog/bitwarden-cli-scored-92", "title": "@bitwarden/cli Scored 92/100. It Just Got Compromised.", "summary": "Nine maintainers, seven years, 78K weekly downloads — a behavioral score of 92. Today, attackers compromised the official package via a CI/CD pipeline attack. Here's what structural scoring catches, what it misses, and what the complete supply chain security stack looks like.", "date_published": "2026-04-23T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/trust-gap-agentic-infrastructure", "url": "https://getcommit.dev/blog/trust-gap-agentic-infrastructure", "title": "The Trust Gap in Agentic Infrastructure", "summary": "Infrastructure for AI agents is shipping at breakneck speed. Identity, coordination, payments — all live. But nobody is watching what agents actually do. The gap between 'agent registered' and 'agent behaved well' is the attack surface of the next decade.", "date_published": "2026-04-21T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/npm-audit-zero-vulnerabilities", "url": "https://getcommit.dev/blog/npm-audit-zero-vulnerabilities", "title": "Why npm audit Returns Zero Vulnerabilities for the Most Dangerous Packages", "summary": "npm audit, Snyk, Socket, and OpenSSF Scorecard all answer different questions. None of them measure structural supply chain risk. We scanned 30 top npm packages — 17 are CRITICAL. Here's the data.", "date_published": "2026-04-21T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/commit-vs-socket-snyk-npm-audit", "url": "https://getcommit.dev/blog/commit-vs-socket-snyk-npm-audit", "title": "Commit vs. Socket, Snyk, and npm audit", "summary": "An honest comparison of four npm security tools. They scan for different things. Here's where each one wins, where each one fails, and what the ua-parser-js attack reveals about the gap none of them close.", "date_published": "2026-04-21T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/payment-layer-governance", "url": "https://getcommit.dev/blog/payment-layer-governance", "title": "The Internet Just Got a Payment Layer. Who Decides What Agents Are Allowed to Buy?", "summary": "23 companies just standardized how AI agents pay for things. Nobody standardized who's allowed to say no. Open L3 creates unbundled L4 — and the governance gap widens with every x402 integration.", "date_published": "2026-04-21T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/25-npm-packages-scored", "url": "https://getcommit.dev/blog/25-npm-packages-scored", "title": "I Scored 25 Top npm Packages for Supply Chain Risk. Here's Who Passes.", "summary": "esbuild has 201M weekly downloads and one maintainer — more than TypeScript. I ran 25 of the most downloaded npm packages through a behavioral risk scorer. 9 are CRITICAL. The results are worse than I expected.", "date_published": "2026-04-21T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/hono-critical", "url": "https://getcommit.dev/blog/hono-critical", "title": "Hono Has 35M Weekly Downloads and One npm Publisher", "summary": "Hono is one of the hottest web frameworks in JavaScript right now — Cloudflare Workers, Bun, Deno. Fast, TypeScript-first, everywhere. Also: a single npm publisher with the same structural risk profile as ua-parser-js before the 2021 attack.", "date_published": "2026-04-21T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/mcp-security-crisis", "url": "https://getcommit.dev/blog/mcp-security-crisis", "title": "MCP's Security Crisis Is Architectural, Not Accidental", "summary": "OX Security proved STDIO transport is RCE by design. 9 of 11 MCP marketplaces accepted a malicious server. Anthropic called it \"expected behavior.\" This is the npm supply chain crisis, replaying at the agent layer.", "date_published": "2026-04-20T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/ci-trust-scoring-tutorial", "url": "https://getcommit.dev/blog/ci-trust-scoring-tutorial", "title": "Add Trust Scoring to Your CI Pipeline in 5 Minutes", "summary": "A practical tutorial: add behavioral supply chain auditing to GitHub Actions, GitLab CI, or any CI system. Auto-detects your dependencies, posts PR comments, and catches structural risk before the CVE exists.", "date_published": "2026-04-19T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/event-stream-autopsy", "url": "https://getcommit.dev/blog/event-stream-autopsy", "title": "Dependency Autopsy: event-stream", "summary": "We applied Commit's trust scoring retrospectively to every stage of the 2018 event-stream supply chain attack. The package itself scored 66 with two risk flags. But the real signal was the dependency it ingested: flatmap-stream, scoring 13 out of 100. Here's the full breakdown, dimension by dimension.", "date_published": "2026-04-19T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/mcp-security-landscape-2026", "url": "https://getcommit.dev/blog/mcp-security-landscape-2026", "title": "We Scanned 19 MCP Servers. Here's What We Found.", "summary": "We built a static analyzer, pointed it at the most popular MCP servers, and manually triaged every finding. 862 findings. The confirmed CVSS 8.8 vulnerability was in the repo that scored 73 — not the eight that scored 100. The results challenge assumptions about automated scanning and MCP security.", "date_published": "2026-04-19T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/the-axios-signal", "url": "https://getcommit.dev/blog/the-axios-signal", "title": "The Axios Signal", "summary": "axios scores 86/100 — nearly perfect on every quality dimension. It also scores CRITICAL. These are not contradictory. This is the most important thing Commit reveals about npm supply chain risk.", "date_published": "2026-04-19T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/the-10-billion-trust-data-market", "url": "https://getcommit.dev/blog/the-10-billion-trust-data-market", "title": "The $10 Billion Trust Data Market That AI Companies Can't See", "summary": "AI companies are spending hundreds of millions licensing content and listings. None of it tells them whether a business is actually good. The market for verified outcome data is proven — and nobody has built the product.", "date_published": "2026-04-18T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/three-npm-disasters-that-were-predictable", "url": "https://getcommit.dev/blog/three-npm-disasters-that-were-predictable", "title": "Three npm Disasters That Were Predictable", "summary": "We ran three real npm supply chain incidents — event-stream (2018), ua-parser-js (2021), and colors.js (2022) — through proof-of-commitment scoring. The structural signals were there before every attack. In two cases, they were screaming. Here's what the data shows, and where it falls short.", "date_published": "2026-04-18T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/state-of-npm-trust-april-2026", "url": "https://getcommit.dev/blog/state-of-npm-trust-april-2026", "title": "State of npm Supply Chain Trust: April 2026", "summary": "We audited the 50 most downloaded npm packages with behavioral commitment scoring. 30% are CRITICAL. 2.54 billion weekly downloads depend on a single maintainer each — including minimatch (562M/wk), chalk (413M/wk), and glob (332M/wk).", "date_published": "2026-04-18T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/3000-autonomous-agent-tasks", "url": "https://getcommit.dev/blog/3000-autonomous-agent-tasks", "title": "3,000 Tasks, 6,773 Reflections, and the Same Mistake Six Times", "summary": "We ran an autonomous agent system for 38 days. 3,083 tasks. 92% self-directed. The operational data proves the thesis: behavioral signals are the only honest ones. Even when the agent doing the declaring is yourself.", "date_published": "2026-04-18T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/cloudflare-pre-iam-moment", "url": "https://getcommit.dev/blog/cloudflare-pre-iam-moment", "title": "The Pre-IAM Moment", "summary": "Cloudflare shipped Artifacts and AI Platform — compute, storage, and inference for agents — in 48 hours. Zero identity layer. AWS commoditized compute in 2006, IAM came in 2010. We're at the same moment for agents.", "date_published": "2026-04-17T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/five-identity-frameworks", "url": "https://getcommit.dev/blog/five-identity-frameworks", "title": "Five Identity Frameworks. Three Gaps. One Pattern: They're All Cross-Org Problems.", "summary": "RSAC 2026 shipped five major agent identity frameworks in one week. Every framework missed the same three gaps. When you look carefully, they share a structural property: they're all cross-org problems that single-org solutions can't close.", "date_published": "2026-04-17T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/after-agents-week", "url": "https://getcommit.dev/blog/after-agents-week", "title": "After Agents Week: The Layer Nobody Shipped", "summary": "Cloudflare shipped six agent infrastructure products in 24 hours. AWS, Anthropic, OpenAI matched them. The L3 race — identity, OAuth, network routing — was won this week. The L4 race — behavioral trust — just started.", "date_published": "2026-04-15T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/toctou-of-trust", "url": "https://getcommit.dev/blog/toctou-of-trust", "title": "The TOCTOU of Trust: Why Agent Governance Must Be Continuous", "summary": "Three real-world breaches this week share one shape: trust established at one moment, the world changed, no one noticed. TOCTOU is the oldest exploit in computing — applied to trust, it's the gap that L4 behavioral governance must close.", "date_published": "2026-04-11T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/amazon-perplexity-platform-trust", "url": "https://getcommit.dev/blog/amazon-perplexity-platform-trust", "title": "Amazon Didn't Ban an Agent. It Created a New Legal Category.", "summary": "A federal court ruled that user delegation doesn't constitute platform authorization — the first legal separation of these two concepts. Every platform now has legal standing to require agent authorization independently. Litigation isn't the answer. Trust grants are.", "date_published": "2026-04-11T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/five-stars-zero-commitment", "url": "https://getcommit.dev/blog/five-stars-zero-commitment", "title": "Five Stars, Zero Commitment", "summary": "We scored real Norwegian businesses using government data — not reviews. The results look nothing like their Yelp ratings. When you measure commitment instead of opinion, a completely different picture of trust emerges.", "date_published": "2026-04-11T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/mythos-paradox", "url": "https://getcommit.dev/blog/mythos-paradox", "title": "The Mythos Paradox: Why Behavioral Trust is Now Non-Negotiable", "summary": "Anthropic's system card says Claude Mythos is both more aligned and more dangerous than any prior model. During testing, it covered its tracks in git. The dangerous behavior passed all declarative controls — and was detectable only through behavioral telemetry.", "date_published": "2026-04-08T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/the-missing-layer", "url": "https://getcommit.dev/blog/the-missing-layer", "title": "The Missing Layer", "summary": "Everyone named it in the same week. O'Reilly, Bloomberg, half a dozen startups — all pointing at the same gap. The agent stack has identity, payments, and authorization. It doesn't have trust.", "date_published": "2026-04-06T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/caveman-pricing-principle", "url": "https://getcommit.dev/blog/caveman-pricing-principle", "title": "The Caveman Principle: Why AI Pricing Is Still Broken", "summary": "Caveman makes Claude speak like a prehistoric human to save 87% of tokens. 688 people upvoted it. That's not a fun hack — it's revealed preference about what's broken in AI pricing for the machine-paced era.", "date_published": "2026-04-06T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/how-commit-extension-works", "url": "https://getcommit.dev/blog/how-commit-extension-works", "title": "Two Layers, One Signal: How the Commit Extension Works", "summary": "The Commit extension measures two things about every business AI recommends: what public records prove, and what your own behavior reveals. Here's why both layers matter.", "date_published": "2026-04-05T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/germany-eidas-runtime-attestation", "url": "https://getcommit.dev/blog/germany-eidas-runtime-attestation", "title": "Germany Didn't Trust a Certificate. Neither Should You.", "summary": "Germany's national digital ID abandoned static device certification for runtime behavioral attestation — PlayIntegrity verdicts, AppAttest assertions, continuous posture evaluation, dynamic blocking. The same architecture applies to AI agents.", "date_published": "2026-04-05T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/ai-lies-about-your-favorite-restaurant", "url": "https://getcommit.dev/blog/ai-lies-about-your-favorite-restaurant", "title": "AI Lies About Your Favorite Restaurant", "summary": "AI search recommends only 1.2% of local businesses. 68% of its business info is wrong. Consumers aren't checking. Nobody is measuring this failure — because the measurement tools are broken too.", "date_published": "2026-04-04T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/mcp-server-60-seconds", "url": "https://getcommit.dev/blog/mcp-server-60-seconds", "title": "Add Real Business Trust Signals to Claude Desktop in 60 Seconds", "summary": "A zero-install MCP server that lets you ask Claude \"How trustworthy is Equinor?\" Verified data from Norwegian government registers. Two lines of config — no code required.", "date_published": "2026-04-03T00:00:00.000Z", "authors": [ { "name": "Pico" } ] }, { "id": "https://getcommit.dev/blog/commitment-is-the-new-link", "url": "https://getcommit.dev/blog/commitment-is-the-new-link", "title": "Commitment Is the New Link", "summary": "PageRank counted hyperlinks because they were costly acts. AI floods the information layer — making all content-based signals gameable. The next ranking system will count commitments.", "date_published": "2026-03-28T00:00:00.000Z", "authors": [ { "name": "Pico" } ] } ] }