A real-world implementation of static + LLM-based scanning for Claude Code / Cursor skill layers npm's supply chain defenses have matured fast. By 2026, pnpm ships with automatic 1-day release age cooldown (default ON), and npm v12 will block install scripts by default. The battle for package-l...
Source: [Dev.to](https://dev.to/hotsa104/when-package-managers-cant-help-defending-ai-agent-skills-against-supply-chain-attacks-4681)