Open source is under attack, and AI changed the math. In this Security Corner, Ismail Pelaseyed, co-founder and CTO of Superagent, joins Shane and Abhi to break down how the software supply chain became the soft underbelly of everything we build.
An attack that once took an army of researchers and weeks of work now takes about an hour, and the attacker no longer needs a frontier model to pull it off. Ismail traces how most breaches begin, why phishing has become almost impossible to spot, and how a single poisoned dependency can cascade across an entire ecosystem.
You'll get concrete steps any maintainer or developer can take today: switching package managers, enabling the security scanners that ship for free, and standing up an adversarial agent that hunts for chained exploits before an attacker finds them.
Ismail also warns that the same instincts protecting enterprises may be quietly strangling open source itself. You'll hear why he thinks the big registries have dropped the ball, what a "Darwinian GitHub" would mean for anyone shipping a new package, and the one move he believes can keep the ecosystem alive.
Superagent: https://superagent.sh
Superagent on X: https://x.com/superagent_ai
Superagent on GitHub: https://github.com/superagent-ai
pnpm: https://pnpm.io
Socket: https://socket.dev
📚 MASTRA RESOURCES
Mastra: https://mastra.ai
Mastra on X: https://x.com/mastra_ai
Discord: https://mastra.ai/community/discord
GitHub: https://github.com/mastra-ai
Free course: https://mastra.ai/course
Principles of Building AI Agents: https://mastra.ai/books/principles-of-building-ai-agents
Patterns of Building AI Agents: https://mastra.ai/books/patterns-of-building-ai-agents
WHAT IS MASTRA
Mastra is an open-source TypeScript framework designed for building and shipping AI-powered applications and agents with minimal friction. It supports the full lifecycle of agent development — from prototype to production.
⏱️ CHAPTERS
0:00 Cold open
0:21 What is Superagent
0:53 How AI sped up attack timelines
2:14 Why phishing is the way in
4:35 Outdated CI/CD workflows
6:04 Two defenses: CI/CD checks and switching to pnpm
7:18 The risk hiding in skills and agents
8:11 Should you delay installing new packages?
8:54 The Darwinian GitHub threat to open source
9:55 Why supply chain attacks are so popular
11:34 Will companies abandon open source?
13:53 Why Ismail is frustrated with GitHub and npm
14:32 Practical defenses for maintainers
18:12 Where to find Superagent