A malicious JavaScript dependency reportedly evolved in plain sight, then used a trusted developer workflow and a legitimate AI platform as cover for a stealthier supply-chain operation.
A sprawling npm supply-chain incident shows how a single publishing path can ripple through developer tooling, while provenance metadata may look reassuring even when it is part of the problem.