There’s been a lot of buzz around npm ecosystem hacks lately.

It makes me wonder: is this about more attacks or simply more visibility?

It could be one (or all) of these:

1️⃣ Attackers are deliberately focusing on npm, and the ecosystem isn’t mature enough to handle it.

2️⃣ npm has enough visibility that even if issues aren’t caught immediately, vendors and the community can flag them.

3️⃣ npm is large, easier to monitor, and full of sloppy practices - so every vendor ends up catching something.

What nags me is the relative silence around RubyGems, PyPI, Maven, and other ecosystems.
Does that silence mean fewer attacks… or just less visibility?

Maybe the npm noise is only part of a bigger story.

#randomrambling #infosec #supplychainsecurity

Right now #ai seems like magic bullet to all solutions. Preliminary success indicators also help the narrative. Its only when instead of teaching how to use ai you use it then you realize its shortcomings just like every other software in existence. Treating ai as yet another software more importantly as a solution still looking for right problem set is imho the way we need to look at things.

There are use-cases still but do they justify the compute power resources and cost. That is where the real rubber meet the road scenarios come into picture.

At this point everyone is squeezing all other funds to create or enlarge funds for r&d and use that for cloud or hardware for ai. This is the part which will hurt the most once people put it in prod and realise the true cost.

#randomrambling #aidisillusions #technology #itsecurity