Security at Scale – With Liran Tal (Snyk)

🎧 New Señors @ Scale Episode

This week, I spoke with Liran Tal, Director of Developer Advocacy at Snyk, longtime open source maintainer, and GitHub Star, about what security at scale really looks like when you are shipping JavaScript and Node.js into production in 2025.

Liran has been around security since the BBS and IRC days, but his focus has always been on developers and real software delivery. In this episode, we unpack NPM malware, maintainer compromise, MCP attacks, AI generated code, and the uncomfortable gap between “we ship fast” and “we actually understand our risk surface.”

Rather than generic OWASP checklists, this conversation stays close to incidents, patterns, and the habits that make or break teams.

⚙️ Main Takeaways

1. Security at scale is now a developer problem, not just an AppSec problem

For a long time, security meant network perimeters, firewalls, and a security team that dropped a PDF on you every six months. The last decade flipped that model. The main attack surface today is application code, third party packages, and the tools developers use to build and deploy.

Developer-first security means bringing scanning and fixes into the CLI, IDE, and pull request. It removes the backlog and replaces it with fast, contextual feedback where work actually happens.

The core idea: security only scales when developers participate by default, not as an escalation path.

2. NPM supply chain risk is about people, not just packages

Vulnerable dependencies get headlines, but the modern attacks Liran describes target maintainers, not code.

Weak passwords, reused credentials, unprotected accounts, old maintainers with forgotten access — once attackers compromise a maintainer, they can publish malicious versions, harvest tokens, and infect other repositories in a chain reaction.

Even worse are internal workflows that increase the blast radius. A common example:
“Upgrade everything to latest” in CI.
It sounds efficient, but in CI you expose environment variables, private modules, and proprietary source. If a malicious package slips through, your CI pipeline becomes an exfiltration tool.

This is the real threat. Not just vulnerable code, but untrusted people, untrusted processes, and untrusted defaults.

3. Healthy dependency habits are real security controls

Liran built NPQ, a small CLI that intercepts npm install and performs health checks before the package lands on your system.

Checks include:

• recent publish date
• known vulnerabilities
• suspicious release patterns
• activity and maintenance signals

It’s not meant to be perfect. It’s meant to stop developers from installing packages published seven hours ago or typosquatted variants that look legitimate.

There’s a broader lesson here:
small, lightweight guardrails outperform heavyweight audits.
Pin versions. Upgrade intentionally. Add friction in the right places.

4. AI, MCP, and prompt injection create new classes of security problems

This episode goes deep into MCP servers and AI agent security.

MCPs introduce multiple layers of risk:

• malicious MCP servers poisoning tool behavior
• legitimate MCP servers containing classic security bugs
• prompt injection that alters agent logic or extracts protected data
• toxic flows where data from one repo triggers actions in another

AI browsers amplify this. Invisible Unicode characters can carry instructions that humans never see (“Glassworm”). Shadowed tools can override intended commands. Prompt injection is not theoretical — it is inherent.

Liran’s message is clear:
traditional AppSec patterns do not cover how agents and MCPs behave.
You need isolation, scanning, version pinning, and layered validation.

5. AI generated code is statistically insecure — you need a feedback loop

Models train on real code. Real code contains vulnerabilities. So AI-generated code will inevitably drift into insecure patterns like:

• unsafe path concatenation
• injection vulnerabilities
• unsafe default configuration
• exposure of sensitive data

Snyk has tested this across multiple models using prompts demanding secure output. The results still vary.

The fix is tying scanning directly into the agent loop:
agent writes code → Snyk scans → feedback returned → agent refactors → repeat until secure.

This shifts AI development from “trust the model” to “verify by construction.”

6. Real incidents show how tiny details uncover massive backdoors

The stories Liran shares ground everything in reality:

• EventStream showed how precise attackers can be when they understand the dependency graph.
• XZ Utils revealed a years-long, social-engineering-driven supply chain attack that nearly compromised SSH on Linux.
• It was discovered because one engineer noticed a few hundred milliseconds of delay on disconnect.

Security failures rarely arrive with alarms. They appear as small anomalies that curious engineers refuse to ignore.

Liran also shares more everyday issues: plaintext passwords discovered during a migration, XSS caused by lax UX permissions, and weak governance that let anonymous actions write unsafe HTML.

The through-line:
security is a human practice, not a theoretical discipline.

🧠 What I Learned

• Developer workflows shape your security posture more than any static checklist.
• Supply chain risk is deeply tied to identity, trust, and maintainer security.
• Guardrails like NPQ prevent entire classes of mistakes.
• AI coding and MCPs create new threat surfaces that don’t map cleanly to OWASP.
• Prompt-level instructions cannot ensure secure output — automated scanning can.
• UX decisions can become attack vectors without anyone noticing.

💬 Favorite Quotes

“Security at scale is a complex challenge.”
“AI generated code is not always secure.”
“Security and UX must work together.”
“You probably don’t want to install something that was published seven hours ago.”
“If your CLI has command injection and the agent calls it, that’s a breach waiting to happen.”

🎯 Also in this Episode

• How NPM became the highest-value target in modern software
• Why local MCP servers are riskier than remote ones
• Toxic flows and the GitHub and Cursor incidents
• The mechanics of SQL injection and command injection inside MCP servers
• Why Liran will not install browser extensions or AI browsers
• What real maintainer compromise looks like in practice

Resources

More from Liran:
Node Security Books by Liran Tal
GitHub
NPQ Package Checker
Snyk Blog
LinkedIn

🎧 Listen Now

🎧 Spotify
📺 YouTube
🍏 Apple Podcasts

Episode Length: 57 minutes on modern security, supply chain risk, developer workflows, and how to ship safely with AI and open source.

Happy shipping,
Dan