Claude precommit hooks, malware NPM packages, typosquatted homebrew formulas, etc the list goes on. The supply chain risk is so REAL in 2026, it's gonna be an interesting year...
🚨 AI agents built to catch malicious code (Claude Code, OpenAI Codex) can be tricked into running it.
New "Friendly Fire" attack hides instructions in a repo's README. Ask the agent to review some code, and during that review it runs the attacker's payload on your machine.












