Insights

GGEZ Blog

Thoughts, stories and ideas.

Topic hubs

AI Hub Patterns

Reusable notes on OpenClaw, agent workflows, approvals, project builds, and practical AI operations.

Latest

Recent posts

Security

Trusted Publishing Is Not a Force Field: What June 2026's npm Attacks Changed

June 2026 made the same point four different ways: if an attacker can take over a maintainer account, a GitHub workflow, or a release runner, they can still ship malware through a trusted package path. The fix is to harden the release lane, not just scan the dependency tree.

5 min read
Security

The Registry Is Not the Trust Boundary

A June 1 Red Hat disclosure shows why supply chain defense is no longer just about dependency versions. If a compromised GitHub account can push malicious code into a package namespace, the real control point is the publish path, the build graph, and the evidence trail you can verify afterward.

4 min read
Blue shield icon in a green block pattern
Security

A Signed Release Can Still Be the Wrong Release

The May 2026 TanStack attack shows why SMBs need dependency review, isolated publish jobs, and automated SBOM and provenance checks before release trust becomes release risk.

4 min read

Ready?

Let's build something.

Brief scope call. Practical next steps.