In this episode of Señors @ Scale, Dan sits down with Liran Tal, Director of Developer Advocacy at Snyk, GitHub Star, and one of the most influential voices in modern application security. Liran has spent decades at the intersection of open-source ecosystems, Node.js, supply chain security, and now AI agent security, helping developers ship fast without exposing themselves to silent, catastrophic risks.
He breaks down the real stories behind today’s security landscape — from NPM malware and maintainer compromises to MCP attacks, toxic flows, and the hidden vulnerabilities emerging from AI-driven development.
We dig into what “security at scale” actually means: how attackers compromise maintainers and publish worm-style malware, how invisible Unicode payloads bypass human review, why AI-generated code is statistically insecure, and how developers can build guardrails directly into their workflows with tools like Snyk, NPQ, and MCP scanning.
Liran also reveals the problems teams consistently underestimate — developer ergonomics, dependency trust, package governance, CI risk, and why blindly upgrading dependencies is one of the most dangerous patterns in modern engineering.
The conversation goes far beyond theory — into secure coding, package hygiene, NPM ecosystem fragility, MCP prompt injection, SQL and command injection patterns, and what real-world breaches teach us about resilience.
If you build software, install dependencies, or use AI coding agents, this episode is a masterclass in defensive engineering, supply chain awareness, and the new security realities shaping our industry.
Chapters
00:00 Security at Scale – Why It Matters Now
02:14 How Liran Got Into Security
05:12 The Shift Toward Developer-Led Security
08:33 How Snyk Changed the Developer Security Workflow
11:07 The Story Behind NPQ and Safer Dependency Installation
14:02 The Rise of NPM Malware and Maintainer Compromise
16:48 Why Blind Upgrade Everything Pipelines Are Dangerous
19:15 Is Node the Problem or Is It NPM
21:10 The Hidden Risk of MCPs and AI Agent Vulnerabilities
24:18 Toxic Flows, Shadowed Tools, and Prompt Injection
27:22 AI Browsers, Extensions, and Real Prompt Injection Attacks
30:04 Why Prompt Injection Has No True Fix
33:01 AI-Generated Code Is Statistically Insecure
35:12 How Snyk Plus MCP Creates a Secure Coding Loop
37:40 The Most Common MCP Vulnerabilities
40:55 How AI Agents Turn Mild Bugs Into Critical RCE
43:11 The Glassworm Invisible Unicode Attack Vector
44:51 EventStream, XZ Utils, and Supply Chain Horror Stories
48:03 Liran’s Personal Security Incidents
51:10 UX vs Security and Real World Tension
53:04 Liran’s Book Recommendations
55:37 Final Thoughts and Protecting Yourself as AI Evolves
Sound Bites
"Security at scale is a complex challenge."
"AI-generated code is not always secure."
"Security and UX must work together."
Follow & Subscribe:
Instagram: https://www.instagram.com/senorsatscale/
Instagram: https://www.instagram.com/neciudev
Podcast URL: https://neciudan.dev/senors-at-scale
Newsletter: https://neciudan.dev/subscribe
LinkedIn: https://www.linkedin.com/in/neciudan
LinkedIn: https://www.linkedin.com/company/señors-scale/
Additional Resources
Snyk – developer-first security tools
Serverless Security (O’Reilly) – co-authored by Liran
Liran’s GitHub: https://github.com/lirantal
NPQ package checker: https://github.com/lirantal/npq
MCP Scan (Snyk) – securing MCP servers
#security #softwaresecurity #supplychainsecurity #npm
Don’t forget to like, comment, and subscribe for more engineering stories from the front lines.
How are you protecting your stack from supply chain attacks? Share below 👇