A patched authentication bypass in Python.org’s release management API shows how a software supply chain can be threatened without touching the actual installer.
Sigstore points to a newer trust model for software releases: identity-backed signing, a public tamper-evident log, and less dependence on a long-lived secret.
A sprawling npm supply-chain incident shows how a single publishing path can ripple through developer tooling, while provenance metadata may look reassuring even when it is part of the problem.
A new product announcement spotlights a harder problem than prompt safety: proving where AI-generated code came from, and who stands behind it before it ships.