Secure Vibe Coding with AI Agents
Recently eslint-config-prettier, an npm package with more than 30 million weekly downloads was compromised. We wrote about it in our earlier blog eslint-prettier-config: Major Supply Chain Attack on npm. But the fact remains, npm like other public open source package registries, is a source of supply chain attack through malicious open source packages published in these registries. AI IDEs and coding agents are likely to accelerate the risk of malicious packages in the software supply chain.
We built SafeDep vet to protect software development teams against malicious packages in CI/CD. But this is not enough when it comes to AI coding agents like OpenAI Codex, Claude Code and AI IDEs like Cursor, Windsurf and others. Lets see with an example.
Consider you are in the vibe of building the world’s best cli tool with an outstanding DevEx. You start with a boilerplate Typescript project that contains only a few dependencies like tsc.
