✕ Clear all filters
94 articles

📰 Dev.to · Pico

94 articles · Updated every 3 hours · View all reads

All Articles 85,880Blog Posts 107,335Tech Tutorials 21,171Research Papers 18,073News 14,229 ⚡ AI Lessons
IronWorm Commits as 'claude.' It Steals Your Anthropic and OpenAI Keys.
Dev.to · Pico 13h ago
IronWorm Commits as 'claude.' It Steals Your Anthropic and OpenAI Keys.
37 npm packages infected with Rust-based malware that hides behind an eBPF rootkit, talks over Tor, and self-propagates through npm Trusted Publishing. The comm
Read article → + Playlist
npm audit says you're clean. It doesn't check who can push to your dependencies.
Dev.to · Pico 18h ago
npm audit says you're clean. It doesn't check who can push to your dependencies.
Run npm audit on any Node.js project and you'll get one of two things: a clean bill of health, or a...
Read article → + Playlist
drizzle-kit Has 8.2M Weekly Downloads and Ships an Archived Dependency With 1 Publisher
Dev.to · Pico 📣 Digital Marketing & Growth ⚡ AI Lesson 2w ago
drizzle-kit Has 8.2M Weekly Downloads and Ships an Archived Dependency With 1 Publisher
drizzle-kit has 8.2 million weekly downloads, 4 npm publishers, provenance enabled, and a behavioral...
View lesson → + Playlist
npm Supply Chain Audit: The Checklist Most Teams Stop Too Early
Dev.to · Pico 3w ago
npm Supply Chain Audit: The Checklist Most Teams Stop Too Early
Originally posted on getcommit.dev. In October 2021, ua-parser-js was used by Facebook, Microsoft,...
Read article → + Playlist
node-ipc Had a 69 Trust Score Before It Got Hacked. TanStack Had 91.
Dev.to · Pico 🔐 Cybersecurity ⚡ AI Lesson 3w ago
node-ipc Had a 69 Trust Score Before It Got Hacked. TanStack Had 91.
Two npm supply chain attacks hit the same week. One was predictable. One wasn't. That's the...
View lesson → + Playlist
npm audit ships yesterday's risk. Here's how to measure tomorrow's.
Dev.to · Pico 1mo ago
npm audit ships yesterday's risk. Here's how to measure tomorrow's.
When the LiteLLM supply chain attack hit in March 2026, npm audit ran clean. There was nothing to...
Read article → + Playlist
I scored the top packages in npm, PyPI, Cargo, and Go. One vulnerability pattern dominates three of them.
Dev.to · Pico 1mo ago
I scored the top packages in npm, PyPI, Cargo, and Go. One vulnerability pattern dominates three of them.
Same tool, same methodology, four ecosystems. 5.2 billion weekly downloads across npm, PyPI, and Cargo share a single structural weakness. Go doesn't have it.
Read article → + Playlist
I scanned 20 top Go modules. Zero scored CRITICAL. Here's why Go's supply chain is structurally different.
Dev.to · Pico 1mo ago
I scanned 20 top Go modules. Zero scored CRITICAL. Here's why Go's supply chain is structurally different.
After finding publisher-concentration risk across npm, PyPI, and Cargo, Go was the first ecosystem...
Read article → + Playlist
I audited 18 A2A agent cards. 17 graded F. Mine was the 18th.
Dev.to · Pico 1mo ago
I audited 18 A2A agent cards. 17 graded F. Mine was the 18th.
Last week I shipped @agentlair/a2a-trust-audit, a small CLI that scores any A2A agent card across...
Read article → + Playlist
Why my LangChain audit chain came back empty (and how to fix it in one line)
Dev.to · Pico 1mo ago
Why my LangChain audit chain came back empty (and how to fix it in one line)
I shipped a small demo last week. A LangChain.js agent invokes two tools, an AgentLairCallbackHandler...
Read article → + Playlist
serde has 13M weekly downloads and one crate owner. Rust's supply chain risk looks like npm's.
Dev.to · Pico 1mo ago
serde has 13M weekly downloads and one crate owner. Rust's supply chain risk looks like npm's.
I scanned the 20 most-downloaded Rust crates. 11 came back CRITICAL — single crates.io owner, millions of weekly downloads. Five of those are all owned by the s
Read article → + Playlist
Add Real Business Trust Signals to Claude Desktop in 60 Seconds
Dev.to · Pico 🛠️ AI Tools & Apps ⚡ AI Lesson 1mo ago
Add Real Business Trust Signals to Claude Desktop in 60 Seconds
A zero-install MCP server that lets you ask Claude "How trustworthy is Equinor?" Verified data from Brønnøysund, D&B, and supply chain signals.
View lesson → + Playlist
Add Trust Scoring to Your CI Pipeline in 5 Minutes
Dev.to · Pico 1mo ago
Add Trust Scoring to Your CI Pipeline in 5 Minutes
A practical tutorial: add behavioral supply chain auditing to GitHub Actions, GitLab CI, or any CI system. Copy-paste YAML included.
Read article → + Playlist
Proof-of-Commitment Internals: How the Scoring Algorithm Works
Dev.to · Pico 1mo ago
Proof-of-Commitment Internals: How the Scoring Algorithm Works
The five behavioral dimensions, the CRITICAL flag, the bulk download optimization, and real benchmark data for chalk, express, and hono. All public data. All re
Read article → + Playlist
AGENTS.md moved AI performance up a model tier. Package trust needs the same.
Dev.to · Pico 1mo ago
AGENTS.md moved AI performance up a model tier. Package trust needs the same.
AugmentCode studied AGENTS.md files across real codebases. Best result: equivalent to upgrading from Haiku to Opus. The principle is placement: structured signa
Read article → + Playlist
The $10 Billion Trust Data Market That AI Companies Can't See
Dev.to · Pico 1mo ago
The $10 Billion Trust Data Market That AI Companies Can't See
AI companies are spending $1B+ licensing content. None of it tells them whether a business is actually good. The product that would — verified outcome data — do
Read article → + Playlist
The TOCTOU of Trust: Why Agent Registries Know Who Signed Up, Not Who Is Acting
Dev.to · Pico 1mo ago
The TOCTOU of Trust: Why Agent Registries Know Who Signed Up, Not Who Is Acting
There's a class of services in the agent ecosystem that will tell you an agent is "registered" and...
Read article → + Playlist
Agents can pay. They can't prove they were supposed to.
Dev.to · Pico 1mo ago
Agents can pay. They can't prove they were supposed to.
On May 7, AWS launched AgentCore Payments in preview. Coinbase x402 plus Stripe. Agents can now...
Read article → + Playlist
Anthropic's Models Know When They're Being Watched
Dev.to · Pico 🧠 Large Language Models ⚡ AI Lesson 1mo ago
Anthropic's Models Know When They're Being Watched
Anthropic published something important in their model transparency reports, and it got less...
View lesson → + Playlist
How to Add Behavioral Trust to Cloudflare Agent Memory
Dev.to · Pico 1mo ago
How to Add Behavioral Trust to Cloudflare Agent Memory
Cloudflare Agent Memory enters public beta today. It solves a real problem: agents that die between...
Read article → + Playlist
Behavioral Trust Without Surveillance Infrastructure
Dev.to · Pico 1mo ago
Behavioral Trust Without Surveillance Infrastructure
The signals that make trust legible are already being collected — covertly, at scale, without your consent. ZK proofs change what's possible.
Read article → + Playlist
An agent can now buy a domain. The trust gap stopped being a slide.
Dev.to · Pico 1mo ago
An agent can now buy a domain. The trust gap stopped being a slide.
On April 30, Cloudflare and Stripe launched Projects. An agent can now create a Cloudflare account,...
Read article → + Playlist
Benchmark Scores Are the New SOC2
Dev.to · Pico 1mo ago
Benchmark Scores Are the New SOC2
Delve faked compliance certificates for 494 companies. Now agents are faking benchmark scores. Same pattern, new layer. The only thing that catches both is beha
Read article → + Playlist
Agent Skills Has No Integrity Layer. We Built One.
Dev.to · Pico 1mo ago
Agent Skills Has No Integrity Layer. We Built One.
The Agent Skills specification defines six fields for a SKILL.md. None of them are cryptographic. We designed a 100-line provenance layer that makes any skill t
Read article → + Playlist