Blog
Notes from the watch path
Supply chain risk, coding agents, MCP configs, and what passive sensors can see on developer Macs — without the fear-mongering.
Coding agents install faster than your review process
Cursor and Claude Code run package managers in the background. By the time a human opens the diff, the dependency is already on disk.
- coding-agents
- supply-chain
- macos
MCP servers are an unsigned install path
Model Context Protocol configs land on disk with no registry, semver policy, or SBOM. A new MCP entry is a supply chain event most stacks never modeled.
- mcp
- supply-chain
- ai-agents
Microsoft's durabletask PyPI compromise of May 19, 2026
Three malicious durabletask versions hit PyPI in 35 minutes with no matching GitHub release. Importing the SDK was enough to run the stealer.
- pypi
- microsoft
- python
- supply-chain
Nx Console, GitHub, and the May 18 supply chain breach
A trojanized VS Code extension lived on the marketplace for roughly 11 minutes. GitHub disclosed exfiltration of about 3,800 internal repositories on May 19, 2026.
- vscode
- github
- supply-chain
- extensions
The TanStack npm compromise of May 11, 2026
TeamPCP chained pull_request_target, GitHub Actions cache poisoning, and OIDC token extraction to publish 84 malicious @tanstack versions in six minutes.
- tanstack
- npm
- github-actions
- supply-chain
Lessons from the XZ Utils backdoor for developer Macs
CVE-2024-3094 showed that upstream compromise can hide in release tarballs for years. Developer laptops pull those packages before any central scanner runs.
- supply-chain
- xz-utils
- macos
The Axios npm compromise of March 2026
On March 31, 2026, UNC1069 published backdoored axios versions for 174 minutes. plain-crypto-js dropped WAVESHAPER.V2 across macOS, Windows, and Linux.
- npm
- axios
- supply-chain
Typosquatting when agents run npm install
Agents resolve package names from context, not careful spelling. Typosquats that humans catch in review slip through when npm install runs unsupervised.
- typosquatting
- npm
- coding-agents
Agent mishaps when automation deletes production
Replit's July 2025 database incident and Cursor's MCP trust bypass show how agent tooling fails without visibility into what changed on disk.
- coding-agents
- incidents
- operations
The Shai-Hulud worm and what it means for npm on Macs
Starting September 15, 2025, a self-propagating npm worm compromised 500+ packages. Developer Macs that ran npm install during the window were in blast radius.
- npm
- supply-chain
- shai-hulud
Why passive sensors beat blocking on agent-heavy Macs
Approval gates slow humans. Agents still install packages and MCP servers in the background. Visibility answers what actually landed on disk.
- passive-sensor
- macos
- fleet
Lockfiles tell you what landed, not who installed it
Koban inventories packages from disk without attributing them to a process. That is a feature, not a gap, and here is why.
- inventory
- lockfiles
- macos
Fleet visibility on macOS without another EDR
Developer Macs need package and MCP inventory, not kernel hooks. A passive sensor fills the gap between MDM and endpoint agents.
- macos
- fleet
- edr
From annual audit to continuous diff
Supply chain incidents unfold in days. Quarterly snapshots cannot show what an agent installed yesterday. Heartbeat diffs can.
- fleet
- visibility
- compliance
YAML policy rules for MCP and package drift
Fleet rules turn inventory diffs into actionable alerts: allowlisted MCP servers, denied package names, version thresholds.
- fleet-rules
- yaml
- mcp