Attackers Move Past Typosquatting to Realistic Package Impersonation
Most malicious open source packages now mimic real code rather than rely on typosquatting
Supply Chain
20 articles
A single typo could derail your World Cup plans
Cybercriminals are spoofing Fédération Internationale de Football Association (FIFA) websites ahead of the 2026 FIFA World Cup, the FBI warns. The attackers ...
‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems
Malicious repositories and disguised symlinks can trick AI coding agents into silently installing attacker-controlled MCP servers capable of stealing secrets...
Well-architected best practices for software supply chain security
There have been multiple notable supply chain attacks using the npm Registry since September: Shai-Hulud, Chalk/Debug, one abusing tea.xyz tokens, and recent...
Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack
Fake automated commits injected GitHub Actions workflows containing payloads to steal credentials, CI secrets, keys, and tokens. The post Over 5,500 GitHub R...
GitHub Strengthens npm Security With Staged Publishing Protection
GitHub has introduced a major security enhancement to the npm ecosystem with the general availability of staged publishing and new install-time controls in n...
npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks
GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a relea...
5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours
SafeDep uncovered the Megalodon attack targeting 5,561 GitHub repositories with malicious CI workflows and cloud credential theft.
GitLab 19.0 adds AI workflows, secrets management, and self-hosted model support
GitLab released GitLab 19.0 with expanded secrets management, agentic merge request workflows, improved CI pipeline visibility, support for self-hosted open-...
Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack
Hackers accessed Grafana’s GitHub repositories after a token compromised in the TanStack attack was not rotated. The post Grafana Says Codebase and Other Dat...
FCC, Github, MiniShai-hulud, Stated of Supply Chain, Itron, CRA, NIS2, and more!! - PSW #927
Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility
New vulnerabilities are being discovered too fast, the time-to-exploitation is too short, and our visibility into them is largely lacking. The post Supply Ch...
Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack
A compromised maintainer account was used to publish malicious package versions across the @antv namespace. The post Over 320 NPM Packages Hit by Fresh Mini ...
Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem
AI-generated lookalike domains are now embedded inside the third-party scripts running on your web properties. Here's why your current stack can't see them, ...
Compromised GitHub Action Steals Workflow Credentials
A widely used GitHub Action, actions-cool/issues-helper, has been compromised in a supply chain attack that exposes sensitive CI/CD secrets to an attacker-co...
GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials
In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious...
Developer Workstations Are Now Part of the Software Supply Chain
Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software poss...
OpenAI hit by supply chain attack linked to malicious TanStack packages
OpenAI said the TanStack supply chain attack compromised two employee devices and exposed credentials from code repositories. OpenAI confirmed that the recen...
Living Off the Pipeline: Defending Against CI/CD Subversion
Learn how adversaries weaponize CI/CD pipelines and how continuous behavioral monitoring helps protect against software supply chain attacks.
TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates
OpenAI has disclosed that two of its employee devices in its corporate environment were impacted via the Mini Shai-Hulud supply chain attack on TanStack, but...