npm's supply chain is broken — the Axios attack explains why
Technical analysis of the Axios npm supply chain attack in March 2026: what happened, what the malware did, why CI/CD is the real target, and how to protect yourself.
Blog
27 posts on systems, architecture, reliability, and leadership.
2026 25 posts
March 3
-
LangGraph, CrewAI, and Agno: getting started with AI agents in Python
A practical guide to getting started with AI agents. Three frameworks, the same problem, real examples, and an honest comparison.
-
When AI Stops Being a Tool and Becomes an Attack Surface
When AI becomes an attack surface: prompt injection, end-to-end attack chains, at-risk architectures, and defensive actions.
-
Fackel: an autonomous pentest framework powered by ReAct agents
Fackel: a multi-agent pentest framework where LLMs decide strategy. Architecture walkthrough, design decisions, and lessons learned.
February 10
-
Device Code Phishing + Vishing: How Attackers Compromise Microsoft Entra Accounts Using Legit Login Pages
Device code phishing combined with vishing targeting Microsoft Entra: how the OAuth flow gets abused, what to monitor, and how to mitigate.
-
The State of the Art in AI Agents (2026): What ‘Modern’ Actually Means
A practical overview of modern AI agent systems: tool use, retrieval, memory, verification, multi-agent patterns, evaluation, and security.
-
The chain rule behind autoregressive models
Autoregressive models are just the probability chain rule plus a conditional model. Here’s the mental model, the math, and what training is really doing.
-
Decision memos that prevent circular debates
A lightweight memo format that clarifies the call, exposes trade-offs, and speeds up execution.
-
Security Implications of Probabilistic Reasoning in Generative AI
A rigorous analysis of how probabilistic reasoning in generative models shapes security risk, failure modes, and robustness.
-
Separation of Responsibilities in Spring-Based Systems: What Kotlin Makes Explicit
How Kotlin's type system sharpens responsibility boundaries in Spring-style architectures without replacing architectural discipline.
-
The Skills Required to Truly Learn
A reflective essay on learning as disciplined endurance of uncertainty, revision, and silence.
-
The Cost of Abstraction: When Layers Hide Security and Reliability Risks
Argues that abstraction layers can obscure failure modes, shift risk across boundaries, and weaken assurance unless their assumptions are made explicit.
-
Amazon Bedrock: foundations, systems, and scaling
A highly technical article on Amazon Bedrock with mathematical foundations and numerical examples.
-
What SICP Really Teaches About Abstraction—and Why It Still Matters
Argues that SICP’s core lesson is the disciplined separation of meaning from mechanism, a prerequisite for reliable and scalable system design.
January 11
-
Podcast episode
A post with a Spotify episode embedded at the top.
-
Calculus, AI, and linear algebra: a compact field guide
A quick, code-backed refresher on gradients, Jacobians, and the linear algebra that drives modern ML.
-
Publish fast, iterate later
How to publish faster without losing quality: scope, guardrails, and a minimal checklist.
-
Graceful retries in Python with backoff
A small, production-ready retry helper using exponential backoff and logging.
-
Streaming logs in Rust with Tokio
Build a small async log streamer that tails a file and ships JSON lines.
-
Cut the excess
A quick editing pass to make any post shorter and clearer.
-
Leading with trade-offs
A repeatable way to expose options, trade-offs, and a clear call in small teams.
-
1:1s that don't become status meetings
A simple structure to keep 1:1s focused on people, not project status.
-
2025 Retrospective: less, better, and consistent
Three practical lessons that made the year more sustainable and effective.
-
Why Traditional Threat Modeling Breaks Down in Generative AI Systems
Probabilistic behavior, distributional risk, and system composability invalidate core assumptions of classical threat modeling for generative AI.
-
Why Most Postmortems Miss the Real Failure Mode
Postmortems often substitute proximate triggers for causal structure, obscuring system dynamics and latent conditions that drive failure.
2025 2 posts