Filing security under later does not work. For most of my career, when a vulnerability got disclosed, attackers needed days, often weeks, to turn it into a weapon. Defenders had a head start, and it's not the case anymore.
A few days from calling the build ready, one of the packages I lean on got poisoned. A release of a core dependency, one that sat deep in my stack, went up on the package index carrying a deliberate compromise. Not a bug. A rigged version built to harvest secrets: the keys, tokens, and passwords a developer has lying around. It got caught and pulled fast, but that doesn't help when it's already sitting in your own dependency tree.
I froze for a few moments, then got to work.
It hit hard because I already knew AI was making the challenge of securing what we build worse. I'd read about it and nodded along, then deferred the library hardening until the app was built and production-ready. The warning had been in front of me for months, filed under later.
Exposures






