The Helio blog

Field notes on AI agent governance, MCP, and the runtime controls that keep autonomous systems safe.

Oli Guei

Malicious npm Packages With Valid SLSA Provenance: Inside the TanStack Attack

On 11 May 2026, malicious @tanstack npm packages shipped with valid SLSA provenance (CVE-2026-45321). Why every signature check passed - and what it means for supply-chain trust.

Oli Guei

MCP Agent Governance: The Missing Layer Between Your Agent and Disaster

Your MCP agent can call any tool it can reach, and nothing deterministic checks what it does. The AI agent governance layer most teams skip - and how to fill it.