Everything I've written about security, organized by type.

Reference

Install-script allowlists — A survey of install-script allowlist mechanisms across package managers and language ecosystems.
Package Security Problems for AI Agents — Packages all the way down, agents all the way up.
Skills Registry Threat Models — How long until we see a CVE filed against a markdown file?

Package managers

How to Ruin All of Package Management — Attach financial incentives to open source metrics and watch the spam flood in.
If It Quacks Like a Package Manager — Some tools waddle like package managers without learning to swim.
Incident Report: CVE-2024-YIKES — A series of unfortunate events.
Install-script allowlists — A survey of install-script allowlist mechanisms across package managers and language ecosystems.
Package Manager CWEs — Recurring weakness classes in package managers
Package Manager Threat Models — The non-CVE half of package manager security
Package Managers Need to Cool Down — A survey of dependency cooldown support across package managers and update tools.
Package Security Defenses for AI Agents — Lockfiles, sandboxes, and cooldown timers.
Package Security Problems for AI Agents — Packages all the way down, agents all the way up.
Patching and forking in package managers — What to do when upstream ghosts you
Reproducible Builds in Language Package Managers — Verifying that a published package was actually built from the source it claims.
Skills Registry Threat Models — How long until we see a CVE filed against a markdown file?
Slopsquatting meets Dependency Confusion — LLMs can leak internal package names, making dependency confusion attacks easier to scale.
The stages of package installation — Denial, anger, bargaining, depression, acceptance, postinstall.
Transitive Trust — You trust your maintainers, who trust their maintainers, but do they trust their maintainers' maintainers?
Typosquatting in Package Managers — A reference guide to typosquatting techniques, real-world examples, and detection tools.
npm's Defaults Are Bad — The npm client's default settings are a root cause of JavaScript's recurring supply chain security problems.
proxy — A lightweight multi-ecosystem caching package proxy

Supply chain

Composer's dependency policies — uBlock Origin for composer install
Free as in Tribbles — The next metaphor after free-as-in-puppy
GitHub Actions is the weakest link — Anne Robinson would like a word with .github/workflows
GitHub Actions security in Python packages — Thank you Dr. Zizmor
Language Registries Are Unstable by Default — apt install -t unstable, but make it your whole personality
Package Management at FOSDEM 2026 — Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.
Protestware for coding agents — printMessageForCodingAgents()
Reviewing ENISA's Package Manager Advisory — Notes on ENISA's Technical Advisory for Secure Use of Package Managers.
Signing is for the bad days — TUF, in-toto, and Sigstore only look pointless while nothing is on fire
The Tuesday Test — Like the Turing test but with more tacos.
Weekend at Bernie's — Which of your dependencies are wearing sunglasses
Who Built This? — Tracing a dependency back to its source commit.
gittuf - a signed log for git refs — Branch protection is a row in someone else's database

AI

Not a Security Issue — How curl's disclosure policy filtered an AI scanner's findings at source
Package Security Defenses for AI Agents — Lockfiles, sandboxes, and cooldown timers.
Package Security Problems for AI Agents — Packages all the way down, agents all the way up.
Protestware for coding agents — printMessageForCodingAgents()
Scrutineer: scanning open source without flooding maintainers — Finding the vulnerabilities is the easy part
Skills Registry Threat Models — How long until we see a CVE filed against a markdown file?
brief — A knowledge base of project conventions, exposed as a CLI.

Tools

Scrutineer: scanning open source without flooding maintainers — Finding the vulnerabilities is the easy part
brief — A knowledge base of project conventions, exposed as a CLI.
proxy — A lightweight multi-ecosystem caching package proxy

Satire

Incident Report: CVE-2024-YIKES — A series of unfortunate events.
Joint Guidance on Vulnerability Naming and Disclosure — Every named CVE now ships with a single-page site at .vuln.
The Infosec Phrasebook — a/s/l/threat model?

Everything else

Revisiting the 2015 Open Source Census — The riskiest projects in open source, scored a decade early
The Cathedral and the Catacombs — Stretching a metaphor deep into the floor.
The Mismeasure of Open Source — The streetlight effect in project-health scoring
Two Kinds of Attestation — The oldest problem in computer science, but with toasters.