{"slug": "supply-chains-zombie-oss-and-agent-firewalls", "title": "Supply Chains, Zombie OSS, and Agent Firewalls", "summary": "Gergely Orosz reports that AI is amplifying team culture for better or worse, while Cloudflare demonstrates frontier models chaining exploits and outperforming single-agent verification in security reviews. SafeDep tracked 314 compromised npm packages, prompting npm's staged publishing response, and Andrew Nesbitt documented how open-source projects become zombie dependencies. Julia Evans made a case for semantic HTML with native CSS, and Deno's Claw Patrol introduced agent-level security controls directly in the runtime.", "body_md": "This week feels like a full-stack reality check: [Gergely Orosz](https://newsletter.pragmaticengineer.com/p/ai-impact-on-software-engineers-part-2) reports that AI is amplifying team culture (good and bad), while [Cloudflare](https://blog.cloudflare.com/cyber-frontier-models/) shows frontier models already chaining exploits and reviewing attacks better with multi-agent setups.\n\nThe ecosystem drama continues: [SafeDep](https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/) tracks 314 compromised npm packages, [npm](https://docs.npmjs.com/staged-publishing) responds with staged publishing, and [Andrew Nesbitt](https://nesbitt.io/2026/05/19/dumb-ways-for-an-open-source-project-to-die.html) explains how open-source projects quietly become zombie dependencies.\n\nOn the practical side, [Julia Evans](https://jvns.ca/blog/2026/05/15/moving-away-from-tailwind--and-learning-to-structure-my-css-/) makes a strong case for semantic HTML + native CSS, [uxdesign.cc](https://uxdesign.cc/the-waiting-problem-in-ai-products-e7c11fd5a825) reminds AI teams that vague spinners are not UX strategy, and the database/tooling corner is unusually strong: [pgsqlite](https://github.com/erans/pgsqlite), [TypeORM 1.0](https://typeorm.io/docs/releases/1.0/release-notes/), and [Kanel 4.0](https://github.com/kristiandupont/kanel) all make modern TS+SQL workflows less painful.\n\nBonus watch: [Martin Fowler and Kent Beck](https://www.youtube.com/watch?v=ii_rLjQfjp0) reflecting on 30 years of Agile is a nice antidote to pure AI hype cycles. Also worth noting: [Claw Patrol](https://deno.com/blog/clawpatrol) pushes agent-level security controls in the runtime itself, which is exactly where this should be heading.\n\nEnjoy!\n\nSignup [here](https://weeklyfoo.com) for the newsletter to get the weekly digest right into your inbox.\n\nFind the 12 highlighted links of [weeklyfoo](https://weeklyfoo.com) #138:\n\n## AI's Impact on Software Engineers in 2026: Part 2\n\nby Gergely Orosz\n\nSurvey of 900+ engineers ā€” AI amplifies existing culture, codebase quality is dropping while management focuses on output, and junior devs are struggling most\n\nšŸš€ Read it!, ai, engineering\n\nby Julia Evans\n\nAdopting semantic HTML and native CSS ā€” component files, CSS nesting, and grid layouts without the framework dependency\n\nšŸ“° Good to know, css, frontend\n\n## 314 npm Packages Compromised in New Supply-Chain Wave\n\nby SafeDep Team\n\nThe mini Shai-Hulud class of supply-chain attacks returns ā€” 314 packages including the antv family and timeago.js targeted in the latest wave\n\nšŸ“° Good to know, security, npm, javascript\n\n## What Claude Mythos Showed Cloudflare\n\nby Cloudflare\n\nCloudflare CSO reports on Project Glasswing findings ā€” exploit chain construction, proof generation, and adversarial multi-agent review that outperforms single-agent verification\n\nšŸ“° Good to know, ai, security\n\n## Dumb Ways for an Open Source Project to Die\n\nby Andrew Nesbitt\n\nMaintainer burnout, funding gaps, and broken tech turn still-used packages into zombies ā€” listed everywhere, quietly dangerous for all downstream dependents\n\nšŸ“° Good to know, open-source, engineering\n\n## The Waiting Problem in AI Products\n\nby uxdesign.cc\n\nAI products ignore decades of research on wait time ā€” users need progress indicators, ETAs, and detailed logs instead of vague spinners that force people to invent their own coping behaviors\n\nšŸ“° Good to know, ai, design, ux\n\n## Staged Publishing for npm Packages\n\nby npm\n\nnpm's new staged publishing model gives packages a review period before going live ā€” part of the npm 11.15.0 release\n\nšŸ“° Good to know, npm, javascript\n\nby Eran Sandler\n\nPostgres wire-protocol adapter for SQLite ā€” use psql, pgAdmin, and standard Postgres drivers against an SQLite database\n\nšŸ§° Tools, sqlite, postgres, tools\n\nby TypeORM Team\n\nTypeScript-first ORM reaches 1.0 after years on 0.3.x ā€” INSERT INTO SELECT support, cross-driver transaction isolation levels, and smoother PostgreSQL enum migrations\n\nšŸ§° Tools, typescript, database, tools\n\nby Kristian Dupont\n\nInspects your Postgres database and generates TypeScript types for use with Knex, Zod, or Kysely\n\nšŸ§° Tools, typescript, postgres, tools\n\nby Deno Team\n\nSecurity firewall for Deno agents ā€” restricts network access and subprocess execution to prevent agent overreach\n\nšŸ§° Tools, security, ai, tools\n\n## Tech Truth: Agile Evolution & the Future of SW Engineering\n\nby Martin Fowler, Kent Beck\n\nMartin Fowler and Kent Beck reflect on 30 years ā€” AI as a patient tutor, what Extreme Programming got right, and why people skills still matter more than tools\n\nšŸ“ŗ Videos, engineering, agile\n\nWant to read more? Check out the full article [here](https://weeklyfoo.com/foos/foo-138/).\n\nTo sign up for the weekly newsletter, visit [weeklyfoo.com](https://weeklyfoo.com).", "url": "https://wpnews.pro/news/supply-chains-zombie-oss-and-agent-firewalls", "canonical_source": "https://dev.to/urbanisierung/supply-chains-zombie-oss-and-agent-firewalls-543", "published_at": "2026-05-29 06:36:57+00:00", "updated_at": "2026-05-29 06:42:17.025460+00:00", "lang": "en", "topics": ["ai-agents", "ai-tools", "ai-products", "ai-research", "ai-safety"], "entities": ["Gergely Orosz", "Cloudflare", "SafeDep", "npm", "Andrew Nesbitt", "Julia Evans", "Martin Fowler", "Kent Beck"], "alternates": {"html": "https://wpnews.pro/news/supply-chains-zombie-oss-and-agent-firewalls", "markdown": "https://wpnews.pro/news/supply-chains-zombie-oss-and-agent-firewalls.md", "text": "https://wpnews.pro/news/supply-chains-zombie-oss-and-agent-firewalls.txt", "jsonld": "https://wpnews.pro/news/supply-chains-zombie-oss-and-agent-firewalls.jsonld"}}