Go visit the website any of your favourite AI agent or tool. Navigate to installation instructions. It’s very likely going to be a form of: curl URL | bash or npm i -g. Claude Code, OpenCode, Codex, Pi - all of them. I get it, it’s convenient. Thing is, even if you “trust” the provider, you can’t rule out supply chain attacks. npm is already notorious on that front. Despite a prolonged effort by the npm folks to clean this up, the problem remains that contaminating the supply chain remains and has become ever so lucrative. And if things couldn’t get worse, now there’s hundreds of published vibecoded software that recommend the same process. The unsafe behaviour seems to have become the de facto way to install any software.
No comments yet. Log in to reply on the Fediverse. Comments will appear here.