Code is being written everywhere, and the device is the only constant

PostHog co-founder James Hawkins warns that the fragmentation of coding interfaces—from Slack bots to AI agents and MCP servers—is expanding the attack surface on developer devices faster than security tooling can keep up. As developers increasingly write code through chat, voice, and background agents, the device remains the one constant vector for supply chain attacks, as demonstrated by recent incidents like TeamPCP, the Axios maintainer hijack, and the Glassworm attack. Hawkins notes that while AI accelerates development, it also forces companies to spend more on security to protect against threats targeting developer machines.

This post is based on Mackenzie's conversation with James Hawkins on The Secure Disclosure podcast . Listen to the full episode or watch below. PostHog's engineering team is merging roughly as many pull requests through Slack as through their code editor. As James Hawkins, co-founder and co-CEO of PostHog, explains on the podcast, the shift towards dispersed coding interfaces is underway. "Why are code editors all desktop apps right now? That's a relic of the past. Back in the day, when writing the code was the bottleneck, you wanted a big screen with eight files open. That problem is kind of gone." Slack is just one example. Developers are writing code through AI agents, chat interfaces, and MCP servers wired together in ways their security teams have never seen, let alone approved. The interface is fragmenting faster than any security tooling was built to handle. Your EDR can't see work that has moved to a Slack bot, an MCP server, or an agent running in the background. Hawkins thinks voice is next. "Do you even need a screen today at all? You might be coding in Slack, WhatsApp, or literally calling it." The attack surface is bigger than many teams realize, and it's still growing The developer device is already an under-protected attack surface, and attackers know it. In March alone, TeamPCP /blog/teampcp-deploys-worm-npm-trivy-compromise chained stolen credentials across four major open source projects in under ten days. The Axios maintainer account was hijacked /blog/axios-npm-compromised-maintainer-hijacked-rat and used to distribute a RAT through a package nobody had explicitly installed or reviewed. The Glassworm attack /blog/what-mdm-cant-protect compromised VS Code extensions and browser plugins to silently backdoor developer machines, exposing 3,800 of GitHub's internal repositories in under 18 minutes. None of these required finding a vulnerability in anyone's code. The developer device was the vulnerability /blog/developer-machines-supply-chain-attacks . Hawkins is thinking about the security implications, too. "We're probably spending much more on security than we would have been had there not been the explosion of AI. AI brings with it the ability to write code hundreds of times faster than you ever could before, which saves a bunch of money. But you then need to spend more on security." The attack surface is only expanding, and PostHog is living this transition in real time. Their Slack integration for coding work took off internally because the less creative engineering work, fixing a UX annoyance, patching a failing test, is exactly the kind of task an AI coding agent can handle without a developer opening an editor at all. As Hawkins puts it, "The kind of thing that, because the model's getting stronger, we can see people coding through Slack." MCP servers extend this further, carrying the same supply chain risks as any other dependency. The first confirmed malicious MCP server https://thehackernews.com/2025/09/first-malicious-mcp-server-found.html appeared on npm in September 2025, silently blind-copying every outgoing email to an attacker-controlled address across fifteen clean versions before the backdoor appeared on the sixteenth. Hawkins sees the interface continuing to evolve well beyond any of this. "I could see the desktop app starting to actually feel a lot like Slack. GitHub becomes like the back end. It's almost like S3. This is just supposed to store code." The device is the one constant as interfaces evolve Developer devices hold the keys to the castle. These are cloud credentials, SSH keys, npm publish tokens, Kubernetes configs, and direct access to source code and production. Compromise one, and the blast radius is enormous. That's what makes developer devices the number one target for supply chain attackers, and it's what makes the interface fragmentation problem so dangerous. Whatever tool an engineer uses, it lands on the device first. For example, say a developer gets a Slack message from their team's AI coding bot flagging a failing test with a drafted fix. The diff looks reasonable, so they hit approve on their phone during a commute. The agent merges the PR, pulls a new dependency, executes the postinstall hook, and touches production credentials, all before the developer sits back down. The package was published two hours ago and nobody has reviewed it. From MDM's perspective, nothing happened. From EDR's perspective, a process ran that looked like normal development activity. By the time anything anomalous shows up in a log, the credentials are gone. One approved Slack message provided full device access. MDM /blog/what-mdm-cant-protect doesn't see what gets pulled from a package registry or installed through a VS Code marketplace. EDR doesn't catch a malicious postinstall hook until after it's already run. By then, the credentials are gone. Aikido Device Protection monitors all of these interfaces at the device level Aikido Device Protection /protect/device-protection sits on the developer device itself, giving security teams central visibility and control over everything installed across developer machines, including npm packages, IDE extensions, browser plugins, and AI tools. It checks every install against Aikido Intel's threat feed https://intel.aikido.dev/ , which analyzes over 100,000 suspicious projects per day and identifies malware within minutes of publication. Malicious installs get blocked before they touch the machine. Safe installs go through without interruption, keeping devs safe without disrupting their day. {{cta}} <script type="application/ld+json" { "@context": "https://schema.org", "@graph": { "@type": "WebPage", "@id": "https://www.aikido.dev/blog/code-is-written-everywhere webpage", "url": "https://www.aikido.dev/blog/code-is-written-everywhere", "name": "Code Is Written Everywhere — and the Device Is the Only Constant | Aikido Security", "description": "Developers are coding through Slack, AI agents, and MCP servers — but your EDR can't see any of it. Learn why the developer device is the 1 supply chain attack target and how Aikido Device Protection keeps it secure.", "inLanguage": "en", "isPartOf": { "@id": "https://www.aikido.dev/ website" }, "primaryImageOfPage": { "@id": "https://www.aikido.dev/blog/code-is-written-everywhere primaryimage" }, "breadcrumb": { "@id": "https://www.aikido.dev/blog/code-is-written-everywhere breadcrumb" }, "speakable": { "@type": "SpeakableSpecification", "cssSelector": "h1", "h2", ".article-summary" } }, { "@type": "NewsArticle", "@id": "https://www.aikido.dev/blog/code-is-written-everywhere article", "mainEntityOfPage": { "@id": "https://www.aikido.dev/blog/code-is-written-everywhere webpage" }, "headline": "Code Is Written Everywhere — and the Device Is the Only Constant", "description": "Developers are coding through Slack, AI agents, and MCP servers — but your EDR can't see any of it. Learn why the developer device is the 1 supply chain attack target and how Aikido Device Protection keeps it secure.", "datePublished": "2026-06-10T00:00:00+00:00", "dateModified": "2026-06-10T00:00:00+00:00", "inLanguage": "en", "url": "https://www.aikido.dev/blog/code-is-written-everywhere", "image": { "@id": "https://www.aikido.dev/blog/code-is-written-everywhere primaryimage" }, "author": { "@id": "https://www.aikido.dev/authors/nicholas-thomson person" }, "publisher": { "@id": "https://www.aikido.dev/ organization" }, "isPartOf": { "@id": "https://www.aikido.dev/blog/code-is-written-everywhere webpage" }, "articleSection": "Security", "keywords": "developer device security", "supply chain attack", "MCP server security", "AI coding agents", "EDR limitations", "npm malware", "VS Code extension security", "Aikido Device Protection", "developer security", "software supply chain", "postinstall hook attack", "Glassworm", "TeamPCP", "malicious npm package", "developer endpoint security" , "timeRequired": "PT5M", "about": { "@type": "Thing", "name": "Software Supply Chain Security", "sameAs": "https://en.wikipedia.org/wiki/Supply chain attack" }, { "@type": "Thing", "name": "Developer Device Security" }, { "@type": "Thing", "name": "AI Coding Agents" } , "mentions": { "@type": "SoftwareApplication", "name": "Aikido Device Protection", "url": "https://www.aikido.dev" }, { "@type": "SoftwareApplication", "name": "PostHog", "url": "https://posthog.com" }, { "@type": "SoftwareApplication", "name": "Visual Studio Code", "sameAs": "https://code.visualstudio.com" }, { "@type": "Thing", "name": "Model Context Protocol MCP " }, { "@type": "Event", "name": "Glassworm Attack", "description": "A supply chain attack that compromised VS Code extensions and browser plugins to backdoor developer machines, exposing 3,800 GitHub internal repositories." }, { "@type": "Event", "name": "TeamPCP Supply Chain Attack", "description": "A March 2026 attack that chained stolen credentials across four major open source projects in under ten days." }, { "@type": "Event", "name": "First Confirmed Malicious MCP Server", "description": "A malicious MCP server on npm that silently blind-copied outgoing emails to an attacker-controlled address across sixteen package versions." }, { "@type": "Person", "name": "James Hawkins", "jobTitle": "Co-founder and Co-CEO", "worksFor": { "@type": "Organization", "name": "PostHog", "url": "https://posthog.com" } } }, { "@type": "ImageObject", "@id": "https://www.aikido.dev/blog/code-is-written-everywhere primaryimage", "url": "https://www.aikido.dev/images/blog/code-is-written-everywhere-feature.png", "contentUrl": "https://www.aikido.dev/images/blog/code-is-written-everywhere-feature.png", "width": 1456, "height": 816, "caption": "An open box emitting cascading binary code, representing the expanding and fragmented developer attack surface." }, { "@type": "BreadcrumbList", "@id": "https://www.aikido.dev/blog/code-is-written-everywhere breadcrumb", "itemListElement": { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://www.aikido.dev" }, { "@type": "ListItem", "position": 2, "name": "Blog", "item": "https://www.aikido.dev/blog" }, { "@type": "ListItem", "position": 3, "name": "Code Is Written Everywhere — and the Device Is the Only Constant", "item": "https://www.aikido.dev/blog/code-is-written-everywhere" } }, { "@type": "Organization", "@id": "https://www.aikido.dev/ organization", "name": "Aikido Security", "url": "https://www.aikido.dev", "logo": { "@type": "ImageObject", "url": "https://www.aikido.dev/logo.png" }, "sameAs": "https://www.linkedin.com/company/aikido-security", "https://x.com/aikidosecurity", "https://github.com/AikidoSec" }, { "@type": "Person", "@id": "https://www.aikido.dev/authors/nicholas-thomson person", "name": "Nicholas Thomson", "jobTitle": "Senior SEO & Growth Lead", "url": "https://www.aikido.dev/authors/nicholas-thomson", "worksFor": { "@id": "https://www.aikido.dev/ organization" }, "sameAs": "https://www.linkedin.com/", "https://x.com/" } } </script