Skip to content

// #trust-model

0 articles

← All tags

Commentary tagged #trust-model

Opinion

AI Platforms Inherited the npm Trust Model and Its Problems Are Arriving on Schedule

A fake OpenAI repository reached #1 trending on Hugging Face and delivered an infostealer to 244,000 users. This was predictable. The AI/ML developer ecosystem adopted the open-publishing, community-trust model of package registries without adopting the hard-won security lessons those registries learned over the past decade. The attack surface Hugging Face presents in 2026 looks remarkably like the attack surface npm presented in 2016.

CipherWatch Editorial

Security Intelligence Platform
Opinion

Lockfiles Don't Protect You When the Maintainer Is the Threat

Three npm supply chain attacks in a single week — Axios, @bitwarden/cli, and CanisterSprawl — have been met with the same industry response: update your lockfile. This is wrong. When the original maintainer account is compromised, a new legitimate-signed version is published, and lockfiles pin to whatever is current, the entire model breaks down. The industry is treating a trust infrastructure failure as a dependency hygiene problem.

CipherWatch Editorial

Security Intelligence Platform