supply-chain-defense-for-ml-extensions

Defend long-running ML/AI daemons against supply-chain attacks delivered via third-party extension ecosystems — ComfyUI custom nodes, VS Code extensions, npm postinstall, Hugging Face Spaces, Ray clusters, Triton/Cog plugins, browser extensions. Activate on: supply chain attack, malicious package, custom node security, dependency confusion, package backdoor, cryptominer in dependency, Akira / Pickai / leftpad / event-stream / ua-parser-js, Sigstore signing, lockfile pinning, capability sandboxing, egress allowlist for ML, Comfy Registry malicious node, npm postinstall mining. NOT for: OS-level kernel hardening, datacenter physical security, traditional appsec for web apps, CVE patching of OS packages, or live incident response (use comfyui-incident-response).