OSS Funded Open source funding news, grants, sponsorships, and deal flow.
Published June 8, 2026 · Added June 8, 2026

Config Files That Run Code: Supply Chain Security Blindspot

SafeDep examines how ordinary repository config files for tools including VS Code, Cursor, Claude Code, Gemini CLI, npm, Composer, and Bundler can execute attacker-controlled commands, using the Miasma worm's open source repository compromises to show how AI coding-agent and package-manager hooks become supply-chain execution primitives.

SafeDep examines how ordinary repository config files for tools including VS Code, Cursor, Claude Code, Gemini CLI, npm, Composer, and Bundler can execute attacker-controlled commands, using the Miasma worm’s open source repository compromises to show how AI coding-agent and package-manager hooks become supply-chain execution primitives.

Read the original story.

Source: Safedep