Security at Scale with Liran Tal - Director of Developer Advocacy at Snyk

In this episode of Señors @ Scale, Dan sits down with Liran Tal, Director of Developer Advocacy at Snyk, GitHub Star, and one of the most influential voices in modern application security. Liran has spent decades at the intersection of open-source ecosystems, Node.js, supply chain security, and now AI agent security, helping developers ship fast without exposing themselves to silent, catastrophic risks.He breaks down the real stories behind today’s security landscape — from NPM malware and maintainer compromises to MCP attacks, toxic flows, and the hidden vulnerabilities emerging from AI-driven development.We dig into what “security at scale” actually means: how attackers compromise maintainers and publish worm-style malware, how invisible Unicode payloads bypass human review, why AI-generated code is statistically insecure, and how developers can build guardrails directly into their workflows with tools like Snyk, NPQ, and MCP scanning.Liran also reveals the problems teams consistently underestimate — developer ergonomics, dependency trust, package governance, CI risk, and why blindly upgrading dependencies is one of the most dangerous patterns in modern engineering.The conversation goes far beyond theory — into secure coding, package hygiene, NPM ecosystem fragility, MCP prompt injection, SQL and command injection patterns, and what real-world breaches teach us about resilience.If you build software, install dependencies, or use AI coding agents, this episode is a masterclass in defensive engineering, supply chain awareness, and the new security realities shaping our industry.Chapters00:00 Security at Scale – Why It Matters Now02:14 How Liran Got Into Security05:12 The Shift Toward Developer-Led Security08:33 How Snyk Changed the Developer Security Workflow11:07 The Story Behind NPQ and Safer Dependency Installation14:02 The Rise of NPM Malware and Maintainer Compromise16:48 Why Blind Upgrade Everything Pipelines Are Dangerous19:15 Is Node the Problem or Is It NPM21:10 The Hidden Risk of MCPs and AI Agent Vulnerabilities24:18 Toxic Flows, Shadowed Tools, and Prompt Injection27:22 AI Browsers, Extensions, and Real Prompt Injection Attacks30:04 Why Prompt Injection Has No True Fix33:01 AI-Generated Code Is Statistically Insecure35:12 How Snyk Plus MCP Creates a Secure Coding Loop37:40 The Most Common MCP Vulnerabilities40:55 How AI Agents Turn Mild Bugs Into Critical RCE43:11 The Glassworm Invisible Unicode Attack Vector44:51 EventStream, XZ Utils, and Supply Chain Horror Stories48:03 Liran’s Personal Security Incidents51:10 UX vs Security and Real World Tension53:04 Liran’s Book Recommendations55:37 Final Thoughts and Protecting Yourself as AI EvolvesSound Bites"Security at scale is a complex challenge.""AI-generated code is not always secure.""Security and UX must work together."Follow & Subscribe:Instagram: https://www.instagram.com/senorsatscale/Instagram: https://www.instagram.com/neciudevPodcast URL: https://neciudan.dev/senors-at-scaleNewsletter: https://neciudan.dev/subscribeLinkedIn: https://www.linkedin.com/in/neciudanLinkedIn: https://www.linkedin.com/company/señors-scale/Additional ResourcesSnyk – developer-first security toolsServerless Security (O’Reilly) – co-authored by LiranLiran’s GitHub: https://github.com/lirantalNPQ package checker: https://github.com/lirantal/npqMCP Scan (Snyk) – securing MCP servers#security #softwaresecurity #supplychainsecurity #npm Don’t forget to like, comment, and subscribe for more engineering stories from the front lines.How are you protecting your stack from supply chain attacks? Share below 👇