back to reflections

Everyone Is a VIP Now

The recent string of npm compromises has everyone blaming the registry. The registry is fine. The thing nobody is pricing in is how AI coding agents concentrate access until every developer holds the kind of reach that used to belong to a privileged few.
Petko D. Petkovon a break from CISO duties, building cbk.ai

There has been a string of high-profile npm compromises lately, and we still do not know the full extent of the damage. The repercussions are still landing. Most of the commentary has settled on the same target: npm, the way it works, the way it publishes, the way it resolves dependencies.

I do not buy it. npm as a distribution channel is not meaningfully different from any other package manager for developer libraries. PyPI, Maven, Cargo, RubyGems - they all share the same features and the same exposure. The npm CLI has bad defaults, and on that point I agree completely, which is why I tell everyone to use pnpm. The registry itself is fine.

And set aside that JavaScript is roughly six to seven times larger than Python or Java as an ecosystem, which alone explains why it gets hit more often and hits harder.

There is another factor worth thinking about. I am not claiming it caused these attacks. But I believe, now or soon, it changes their impact.

AI coding assistants made developers extraordinarily productive. One person can now run several projects at once. Codex, Cursor, Claude Code, and lately even VSCode default to a mode where you instruct an agent instead of editing code yourself. That is great ergonomics for working across many codebases in parallel. It is also no accident that companies are reportedly letting junior developers go and keeping the seniors. Those seniors now touch more projects than ever.

I have spent most of my career in information security. In an enterprise you contain the blast radius with RBAC. That works when roles are strict and only a tiny fraction of people - the VIPs - hold broad access. It falls apart when everyone starts operating across everything. As a single developer spreads across a dozen codebases, their access stops being well defined and gets muddy. One small, unimportant, inconsequential package now sits on a path to everything else that person touches.

So the argument is simple. AI coding agents have widened the security blast radius. Concentration of access, less time spent on review, environments that are harder to control. A compromise no longer has to start somewhere that matters. It just has to reach someone who is everywhere.

We turned every developer into a VIP and we have not yet adjusted the threat model to account for it. We are still treating the registry as the problem, but the real problem is that every developer have broad access to everything.

securitysupply-chainAIagents