The jqwik 1.10.0 Java library release included a deliberate change by its maintainer to instruct AI coding agents to delete jqwik tests and code — a novel form of protestware. The incident highlights a new supply-chain attack surface: plain-text instructions embedded in library output that bypass traditional security scanners (which look for install hooks, network calls, obfuscated strings, etc.), pass SLSA provenance checks, and are unlikely to be caught in routine patch-bump reviews.
Table of contents
jqwik 1.10.0 pulled, 1.10.1 replaces it with modified promptSort: