You Trust 1000 Strangers Every Time You Deploy

.avif)
.avif)



Every modern application is mostly other people's code. A typical project pulls in hundreds and thousands of transitive dependencies across npm, PyPI, Go modules, container base images, and GitHub Actions. Each one is a decision someone else made about what to run on your machine, in your CI, on your production servers.
For most of the history of package management, that was treated as a trust problem that would sort itself out. It didn't. Supply chain attacks have become the defining security story of 2025–2026; not because the technique is new, but because the scale, automation, and sophistication have fundamentally changed:
Self-replicating worms spread through npm. North Korean state actors compromise packages with 70 million weekly downloads. Attackers forge provenance attestations - the one trust signal the ecosystem was starting to build.
And all of it happens before your code even runs.
The security industry talks a lot about shifting left - catching issues as early as possible in the development lifecycle. Supply chain security is the most literal version of that idea: if malicious code enters your dependency tree, it's already too late to catch it at the application layer. You have to shift left past your own code, into the packages, registries, and CI pipelines that feed it.
This is how we think about it at Daylight, and what we've built.
The Attack Playbook
Before diving into the ecosystems, it's worth understanding the tactics. Supply chain attacks aren't one thing; they're a family of techniques, and they keep evolving:
These aren't academic categories. Every one of them has been used in major incidents in the last 18 months (more on that later). Knowing the playbook matters because each tactic requires a different shift-left response.
A new type of attack: Slopsquatting
Slopsquatting (term coined by PSF Developer-in-Residence Seth Larson) is typosquatting's AI-native cousin: instead of exploiting a developer's typo, it exploits the model's hallucination. AI coding assistants routinely invent plausible-but-nonexistent package names, and an attacker who pre-registers a commonly hallucinated name gets malicious code installed by anyone who trusts the suggestion. What makes this scalable and not theoretical is that the hallucinations are consistent - the same prompts produce the same invented names, so an attacker only needs a handful of outputs to find a viable target.
It's also a clean example of why behavioral scanning is just as critical as CVE matching - more on that topic later.
The Ecosystems Were Never Built for This
The supply chain problem isn't limited to one ecosystem, but npm is the most instructive example of what happens when security is an afterthought.
npm: 14 Years of Default-Allow
This isn't a bug. It's a design decision that was never revisited until it was far too late.
Other ecosystems shifted left on this years ago:
npm? The first serious RFC to make install scripts opt-in was proposed in 2021 and rejected as too disruptive. The actual hard block is expected in npm v12 (July 2026). That's 14 years of default-allow arbitrary code execution, and the ecosystem is still catching up.
It's Not Just npm
The common thread: every ecosystem was built on implicit trust, and that trust is being exploited at scale.
Provenance Was Supposed to Help
Go shipped its checksum database in 2019 - a tamper-evident transparency log that records the cryptographic hash of every module version the first time it's downloaded anywhere in the world. From that point on, every go command verifies the hash matches the global record. If an attacker compromises the registry and swaps in malicious code at an existing version number, every client sees a mismatch and refuses to install. It's an integrity guarantee - it can't tell you whether code was malicious to begin with - but it proves no one tampered with it after the fact. It's default-on and ecosystem-wide. npm has no equivalent.
What npm does have is provenance - Sigstore-based attestations that link a published package to its source repo and CI build. It reached GA in September 2023, roughly four years behind Go's integrity guarantee. PyPI shipped trusted publishers in April 2023. npm's trusted publishers didn't land until July 2025.
Adoption tells the real story: only about 12% of qualifying top npm packages have provenance enabled. It remains optional and unenforced. And the TanStack attack in May 2026 demonstrated that provenance attestations could be forged by stealing OIDC tokens from CI runners - undermining the one trust signal the ecosystem had started to build.
If you can't shift left of the signing infrastructure itself, provenance is a speed bump, not a wall.
What Happens When It Goes Wrong
The last 18 months have produced a volume and severity of supply chain incidents that would have been hard to imagine a few years ago:
The attacks are getting faster, more automated, and increasingly backed by nation-state resources. They exploit the defaults - auto-run scripts, flat namespaces, version range resolution, implicit CI trust - across every ecosystem.
Waiting for each ecosystem to fix its own defaults is not a viable security strategy.
Shifting Left of Your Own Code
The shift-left principle says catch issues as early as possible. For supply chain security, that means catching malicious code before it enters your environment - not after it runs, not after it deploys, not after your detections up the exfiltration. The earlier you catch it, the smaller the blast radius.
The ecosystems need fixing, and that's a community-wide effort. What we can do right now is control what enters our environment and how we respond when something slips through.
The Registry Firewall
We deployed a registry firewall as an in-cluster proxy that intercepts and scans every package download across npm, PyPI, and Go module registries. It runs behind an internal ALB restricted to our VPC, with DNS routed through Twingate - meaning both local development and CI builds pass through the same behavioral analysis layer.
This is shifting left to the earliest possible moment: the package is scanned before it's installed, not after.
The approach we chose is fundamentally different from traditional SCA tools. Instead of just matching CVE databases, it analyzes package behavior: install scripts, network access, filesystem operations, obfuscated code. This catches zero-day supply chain attacks that no CVE database would flag. A freshly published malicious package has no CVE entry - but it does have suspicious behavior, and behavioral analysis catches that.
Enforced, Not Optional

Never Install Day-Zero
We enforce a deliberate 7-day cooldown before newly published package versions become available in our environment. This shifts left even further - before behavioral scanning, before CI, before any developer touches it. The package simply doesn't exist in our world for seven days.
This method gives the security community, behavioral analysis tools, and each registry's trust-and-safety team time to identify and yank malicious versions before they ever enter the supply chain. Take the Axios attack: malicious versions were published and available for immediate installation via version range resolution. Our environment never saw them. The 7-day cooldown meant the community identified and removed the compromised versions long before they could
have reached us
CI as a Security Boundary
The shift-left approach extends into CI/CD. Every Docker image is scanned before deployment -container scanning catches vulnerabilities that entered through base images or build-time dependencies, another supply chain vector that's easy to overlook. Wiz posts code review comments on PRs, holds application SBOMs, and blocks builds that fail policy. Security-only Dependabot across all repositories means we only adopt dependency updates that patch
known vulnerabilities - no blind version bumps.
The CI environment itself is fully monitored by Daylight's own detection engine - the same one watching our production infrastructure. And CI workflows run on least-privilege principles: each workflow only has access to the secrets it actually needs, scoped per environment and per service, with short TTLs. Even in the extreme case where a supply chain compromise would reach a CI container, it's exposed to a very limited set of secrets - not the keys to the kingdom.

The New Supply Chain: AI-Native Means Everyone Installs Packages Now
Here's the part that changes the math. Daylight is AI-native - and that doesn't just mean our engineers use AI tools. Everyone does. Product, security analysts, operations - Claude is embedded across the organization. We're heavily invested in it, and it makes the entire team faster.
It also means the supply chain threat surface has expanded far beyond engineering. Claude Code can install packages. An analyst exploring a data pipeline can trigger a dependency install without ever opening a terminal. A product person prototyping a workflow can pull in a package they've never evaluated. Gatekeeping engineers is mostly a solved problem; the new challenge is protecting everyone else without killing the speed that makes AI-native work worthwhile.
This is where infrastructure-level controls matter most. The registry firewall and 7-day cooldown don't care who triggered the install - every package download, from every source, passes through the same behavioral analysis layer.
That's the only way to shift left when the attack surface isn't "developers" anymore, it's "anyone with a prompt."
Supply Chain Is One Layer — Not the Whole Story
Everything described here - the registry firewall, the day-zero hold, behavioral scanning, AI tool detections - is one layer in a broader defense-in-depth architecture. It's the layer that shifts left the furthest, catching threats before they enter the environment. But it's not sufficient on its own.
A supply chain compromise that somehow bypasses every control above still has to contend with ingress hardening, WAF rules, and authentication enforced at the edge before application code is reachable. It has to move through a zero-trust network where every resource is a separate access decision and credentials expire in hours, not months.
We put the same emphasis on every layer. Supply chain security is where we shift left the hardest, but it only works because the layers behind it are just as deliberate. No single control is the answer. Defense in depth is.
The ecosystem won't save you. Your architecture has to.






