I Ran npm install 1,000 Times This Year. Here's Why That Scares Me Now.

TL;DR: The GlassWorm campaign compromised 151+ GitHub repos and 72+ VS Code extensions in March 2026 using invisible Unicode payloads, AI-generated camouflage, and blockchain-based command infrastructure. As a solo developer running a Next.js app in production, I walked through what I checked, what I changed, and why indie builders can no longer ignore supply chain security.