Over the past 15 months a series of high-profile backdoors, worms and trojans have compromised thousands of npm, PyPI and other open-source packages, exposing millions of downstream projects to remote access, data wiping and credential theft. The article traces incidents from the xz-utils backdoor to self-propagating npm worms, explains how deep dependency trees magnify risk, and outlines immediate steps—pinning versions, auditing dependencies and funding maintainers—to stem the threat.

This article explores how advancements in software design, particularly through LLMs, shift the focus from using standard libraries to generating custom code. It highlights the implications for dependency management and emphasizes the need to understand the problem being solved rather than just the mechanics of coding. The author compares this shift to the evolution of 3D printing in manufacturing.