Blog & Insights — ScriptWalker

2026.05.02 · 321 views

The First Supply-Chain Worm to Weaponize Claude Code: Inside the SAP npm "Mini Shai-Hulud" Attack

April 29's compromise of four official SAP packages used .claude/settings.json and .vscode/tasks.json for persistence. OWASP A03 just got teeth.

93% of Developers Use AI. Productivity Is Up 10%. Welcome to the 2026 AI Paradox

AI & Automation

2026.05.02 · 145 views

93% of Developers Use AI. Productivity Is Up 10%. Welcome to the 2026 AI Paradox

AI now writes 41% of all code, security vulnerabilities are up 23.7%, and delivery velocity has barely moved. Here is where the value is leaking — and how to plug it.

Why "CLAUDE.md" Became GitHub's Most Forked File of 2026 — and What PHP Teams Should Steal From It

Web Development

2026.05.02 · 183 views

Why "CLAUDE.md" Became GitHub's Most Forked File of 2026 — and What PHP Teams Should Steal From It

A 101k-star single-file repo, a 175k-star agentic skills framework, and the new shape of project documentation for the agent era

"Mini Shai-Hulud" Hit SAP's npm Packages — and Every PHP Team Should Read This Carefully

Security

2026.05.01 · 250 views

"Mini Shai-Hulud" Hit SAP's npm Packages — and Every PHP Team Should Read This Carefully

Why a JavaScript supply-chain worm is a wake-up call for input validation, third-party trust, and the entire CIA triad — even if you do not run Node

From Pair Programming to Orchestrating a Team — Cursor 3 and Claude Code Reset the Baseline in April

AI & Programming

2026.05.01 · 147 views

From Pair Programming to Orchestrating a Team — Cursor 3 and Claude Code Reset the Baseline in April

Ten parallel agents per developer is not a press-release flex; it is the new productivity baseline, and it is changing what "senior engineer" means

Laravel 13 Just Quietly Made Every PHP Shop an AI Shop

Web Development

2026.05.01 · 165 views

Laravel 13 Just Quietly Made Every PHP Shop an AI Shop

AI SDK, pgvector search, and passkeys land first-party — and the 10-minute upgrade path means there is no excuse left

Yesterday's Supply Chain Attack Weaponized Claude Code Itself — How "Mini Shai-Hulud" Hides in .claude/settings.json

Security

2026.04.30 · 259 views

Yesterday's Supply Chain Attack Weaponized Claude Code Itself — How "Mini Shai-Hulud" Hides in .claude/settings.json

Four SAP npm packages were trojaned on April 29 with a Bun-based credential stealer that persists through AI coding agent hooks. Here is exactly what every dev needs to run today — and what it tells us about the OWASP Top 10 of 2026.

Forget SEO. Forget Marketing's AEO. The New "AEO" Is for AI Coding Agents — and It's About to Eat Your Developer Docs

AI

2026.04.30 · 105 views

Forget SEO. Forget Marketing's AEO. The New "AEO" Is for AI Coding Agents — and It's About to Eat Your Developer Docs

Inside Addy Osmani's Agentic Engine Optimization framework: llms.txt, AGENTS.md, and why your API will quietly stop being recommended in 2026 if you skip them.

PHP Just Tied JavaScript as the World's #1 Open-Source Language — and Then the Hiring Crisis Hit

Web Development

2026.04.30 · 114 views

PHP Just Tied JavaScript as the World's #1 Open-Source Language — and Then the Hiring Crisis Hit

Perforce's 2026 Landscape Report says PHP powers more of the web than ever, but engineering managers say their #1 problem is finding people who actually know it.