Blog
What's happening at boring.tools
Updates on development, security insights, and everything supply chain security.

The jscrambler compromise shows why install-time code execution is dangerous
A compromised jscrambler npm release used a preinstall hook to run hidden native binaries before application code ever loaded.

npm 12 makes install scripts opt-in by default
npm 12 turns lifecycle scripts, Git dependencies, and remote tarballs into explicit choices. That is a meaningful shift for JavaScript supply-chain security.

Phantom squatting turns AI hallucinations into supply-chain risk
LLMs can invent plausible domains, API endpoints, and portals. Unit 42's research shows attackers can register those hallucinations and turn trusted AI output into a delivery path.

GitHub Action tags are part of your software supply chain
The codfish semantic-release-action compromise shows why CI/CD actions need the same inventory, pinning, and secret-scoping discipline as packages.

PolinRider shows why supply-chain response has to cross ecosystems
Socket linked PolinRider to 162 malicious artifacts across npm, Packagist, Go modules, and Chrome extensions. Here's what defenders should check.

Mastra npm packages were backdoored through an easy-day-js typosquat
A compromised @mastra publish added a dayjs-looking dependency across 140+ packages. Here's what happened, how to check exposure, and what to do next.

Automated SBOM generation with Git integration
Connect your GitHub or Forgejo repositories to boring.tools and generate CycloneDX SBOMs automatically on every commit. No CI changes, no manual steps.

OWASP API Security Top 10 2023: What every developer should know
APIs are the backbone of modern applications — and the primary attack surface. The OWASP API Security Top 10 2023 maps the most critical risks, from broken authorization to unsafe consumption of third-party APIs.

OWASP Top 10 CI/CD Security Risks: What every pipeline needs to know
From Poisoned Pipeline Execution to Dependency Chain Abuse — the OWASP Top 10 CI/CD Security Risks framework maps the attack vectors threatening modern software delivery. Here's what each risk means and how to defend against them.

Software supply chain attacks: what they are and how to defend against them
axios. TanStack. event-stream. Supply chain attacks have become one of the most effective ways to compromise software at scale. Here's how they work and what you can actually do about them.

VS Code now waits 2 hours before auto-updating extensions — and your package manager probably should too
Microsoft added a two-hour delay to VS Code's extension auto-updates to reduce supply chain risk. The same idea is already built into Bun, npm, pnpm, and Yarn. Here's how it works and why it matters.

What is an SBOM and why should developers care?
A Software Bill of Materials sounds like compliance paperwork. It isn't. Here's what an SBOM actually is, what CycloneDX and SPDX look like in practice, and why knowing your dependencies matters more than ever.

Miasma: the self-spreading npm worm that targets your AI coding tools
The Miasma worm compromised 57 npm packages, 73 Microsoft GitHub repositories, and began spreading to PyPI — all in under two weeks. Here's how it works and what you need to check.

The EU Cyber Resilience Act: what it actually means for your software
The CRA is law. By December 2027 every product with digital elements sold in the EU needs an SBOM, secure-by-design engineering, and a vulnerability process. Here's what that means in practice — without the legal fog.

Introducing boring.tools: Supply Chain Security, Simplified
Today we're announcing boring.tools — a platform that helps you generate SBOMs, track CVEs, and understand your software supply chain without the complexity.