Loading...
Loading...
Loading...
DYKWYBLSby Island Pitch
Do You Know What You Built Last Summer?!
You vibe coded it. You shipped it. Now let's find out if you actually know what's in there. No shame — just truth.
Do You Know What You Built Last Summer?!
You vibe coded it. You shipped it. Now let's find out if you actually know what's in there. No shame — just truth.
Knowledge Is Protection
Learn how to manage the packages your app relies on and reduce the risk of supply chain issues.
Open up your project's package.json file. See that list of dependencies? Each one is a piece of code written by someone you have never met, running inside your application, with access to everything your app can do. Now look at node_modules — that folder with 500+ packages you have never heard of. In September 2025, 200+ npm packages were compromised in a single attack when a maintainer of chalk and debug was phished. Aggregate weekly downloads: in the billions. Your supply chain is one phishing email away from being someone else's attack vector.
Dependencies are the third-party packages and libraries your app uses. When your AI tool generates code, it loves pulling in packages. Need to format a date? There is a package for that. Need to validate an email? Package. Parse markdown? Package. Each one saves you from writing code yourself, which sounds great until you realize what you are actually doing: trusting strangers' code to run inside your application.
These packages have their own dependencies too — that is why your node_modules folder is enormous even though your package.json only lists twenty items. A single package can pull in dozens of sub-dependencies, each one a potential point of failure.
And now there is a new risk that did not exist two years ago: slopsquatting. When AI tools generate code, about 20% of the time they recommend packages that do not actually exist. Attackers know this. They register those hallucinated package names and fill them with malicious code. 58% of hallucinated names are repeated across runs, making them reliably exploitable. Your AI tool might be directing you to install malware it invented.
Dependency vulnerabilities can also cascade into accessibility failures. A compromised dependency that injects malicious scripts can break ARIA landmarks, disable keyboard navigation, or inject content that screen readers announce unexpectedly. Your supply chain is your users' experience.
Your node_modules folder has 500 packages. You chose maybe 20. The AI chose the rest. Do you know who wrote them?
20% of AI-generated code samples recommend non-existent packages. 58% of those hallucinated names repeat across runs. Attackers register them.
In March 2024, a state-sponsored actor known as "Jia Tan" was discovered to have spent over two years social-engineering their way to co-maintainer of the xz-utils compression library. They inserted a backdoor — CVE-2024-3094, CVSS score of 10, the maximum — that would have given them a master key to hundreds of millions of SSH-enabled servers worldwide. It was discovered by accident when a Microsoft engineer noticed a 500-millisecond delay in SSH logins. Computer scientist Alex Stamos called it potentially "the most widespread and effective backdoor ever planted in any software product."
That September 2025 npm attack? A single phishing email mimicking npm stole a maintainer's username, password, and 2FA token. The attacker published poisoned versions of over 200 packages. Billions of weekly downloads compromised.
And Log4Shell — discovered in December 2021 with a CVSS score of 10 — is still being actively exploited. In Q1 2024, it represented 30% of outbound vulnerability exploitations. In July 2024, 13% of developers using Log4j were still downloading vulnerable versions. Four years later. Nation-state actors from China, Iran, North Korea, and Turkey have added it to their toolkits.
Vulnerability exploitation as initial access has grown to 20% of all breaches, a 34% increase year over year according to the Verizon DBIR 2025. Every unpatched dependency is an open invitation.
Someone spent two years pretending to be a helpful open-source maintainer. Two years. Just to plant a backdoor. And it almost worked.
XZ Utils: CVSS 10. npm attack: billions of weekly downloads. Log4Shell: still exploited 4 years later. Supply chain risk is compounding.
The npm audit command checks your dependencies against a database of known vulnerabilities. Run it monthly at minimum. If it reports critical or high severity issues, prioritize fixing them. Most fixes are as simple as updating to a newer version.
Check for outdated packages with npm outdated. You do not need to update everything immediately, but you should have a routine. Tools like Dependabot or Renovate can automate this. Remember: Log4Shell is still being exploited four years later because people do not update.
Before adding a new package, check its npm page or GitHub repo. Look at: last publish date, number of maintainers, open issues count, and weekly downloads. And if your AI suggested it, verify the package actually exists — slopsquatting is real.
AI tools often add packages you do not need. If a package is only used once or does something simple, consider whether you could write that code yourself. Fewer dependencies means a smaller attack surface and a faster build.
Your package-lock.json or yarn.lock file pins exact dependency versions so every install produces the same result. Always commit this file. Without it, you could get different versions on different machines — including a poisoned version published between your installs.
Five habits. Build them now. Your future self will thank you when the next supply chain attack hits the news.
5 items. npm audit takes 3 seconds to run. The XZ backdoor took 2 years to plant. Asymmetric effort favors the defender who checks.
Every dependency is a trust decision. Your AI tool made a lot of those decisions for you — and it might have even hallucinated some packages that do not exist. In a world where a two-year social engineering campaign can backdoor millions of servers and a single phishing email can compromise billions of downloads, knowing what is in your supply chain is not paranoia. It is professionalism.
You would not serve food from ingredients you have never inspected. Your code deserves the same treatment.
Vulnerability exploitation: 20% of breaches, up 34% year-over-year. Each unpatched dependency is a standing invitation.
Curious about what is lurking in your node_modules? A DYKWYBLS comprehension check examines your dependency tree and flags the risks you should know about. It is a great first step toward actually owning your supply chain. Part of how Island Pitch helps you Do Cool Things the Right Way!
Meet Your Code