https://appsec.fyi/supplychain.html Curated Supply Chain Security resources from appsec.fyi en-us Wed, 22 Apr 2026 18:38:42 +0000 carl@chs.us (Carl Sampson) https://strobes.co/blog/axios-npm-supply-chain-attack-compromised-rat-2026/ https://strobes.co/blog/axios-npm-supply-chain-attack-compromised-rat-2026/ Axios npm Supply Chain Attack: 83M Downloads Hit Supply Chain Security Wed, 22 Apr 2026 12:52:51 +0000 https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/ https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/ Axios npm Hijack 2026: Everything You Need to Know Supply Chain Security Wed, 22 Apr 2026 12:52:50 +0000 https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Supply Chain Security Wed, 22 Apr 2026 12:52:49 +0000 https://www.stepsecurity.io/blog/litellm-credential-stealer-hidden-in-pypi-wheel https://www.stepsecurity.io/blog/litellm-credential-stealer-hidden-in-pypi-wheel litellm: Credential Stealer Hidden in PyPI Wheel Supply Chain Security Wed, 22 Apr 2026 12:52:49 +0000 https://github.blog/news-insights/product-news/whats-coming-to-our-github-actions-2026-security-roadmap/ https://github.blog/news-insights/product-news/whats-coming-to-our-github-actions-2026-security-roadmap/ What's Coming to Our GitHub Actions 2026 Security Roadmap Supply Chain Security Wed, 22 Apr 2026 12:52:48 +0000 https://jfrog.com/blog/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected/ https://jfrog.com/blog/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected/ Shai-Hulud npm Supply Chain Attack: New Compromised Packages Detected Supply Chain Security Wed, 22 Apr 2026 12:52:47 +0000 https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/ https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/ LiteLLM and Telnyx Compromised on PyPI: Tracing the TeamPCP Supply Chain Campaign Supply Chain Security Wed, 22 Apr 2026 12:52:46 +0000 https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ Keeping Your GitHub Actions Secure Part 1: Preventing Pwn Requests Supply Chain Security Wed, 22 Apr 2026 12:52:45 +0000 https://www.wiz.io/blog/github-actions-security-threat-model-and-defenses https://www.wiz.io/blog/github-actions-security-threat-model-and-defenses GitHub Actions Security Pt 1: Attacks & Defenses (Wiz) Supply Chain Security Wed, 22 Apr 2026 12:52:44 +0000 https://blog.gitguardian.com/shai-hulud-a-persistent-secret-leaking-campaign/ https://blog.gitguardian.com/shai-hulud-a-persistent-secret-leaking-campaign/ Shai-Hulud: A Persistent Secret Leaking Campaign — GitGuardian Supply Chain Security Sun, 19 Apr 2026 02:37:08 +0000 https://www.splunk.com/en_us/blog/security/npm-supply-chain-attack-detection-analysis.html https://www.splunk.com/en_us/blog/security/npm-supply-chain-attack-detection-analysis.html Defending Against npm Supply Chain Attacks — Splunk Supply Chain Security Sun, 19 Apr 2026 02:22:21 +0000 https://access.redhat.com/security/supply-chain-attacks-NPM-packages https://access.redhat.com/security/supply-chain-attacks-NPM-packages Multiple Supply Chain Attacks against npm Packages — Red Hat Supply Chain Security Sun, 19 Apr 2026 02:22:20 +0000 https://arcticwolf.com/resources/blog/shai-hulud-malware-targets-numerous-npm-packages-second-wave-npm-supply-chain-attack/ https://arcticwolf.com/resources/blog/shai-hulud-malware-targets-numerous-npm-packages-second-wave-npm-supply-chain-attack/ Shai-Hulud Malware: Second-Wave npm Supply Chain Attack Supply Chain Security Sun, 19 Apr 2026 02:22:20 +0000 https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem CISA: Widespread Supply Chain Compromise Impacting npm Ecosystem Supply Chain Security Sun, 19 Apr 2026 02:22:19 +0000 https://arxiv.org/abs/2503.12192v1 https://arxiv.org/abs/2503.12192v1 Closing the Chain: How to reduce SolarWinds/Log4j/XZ risk (arXiv) Supply Chain Security Fri, 17 Apr 2026 14:50:56 +0000 https://www.fortinet.com/resources/cyberglossary/solarwinds-cyber-attack https://www.fortinet.com/resources/cyberglossary/solarwinds-cyber-attack SolarWinds Supply Chain Attack (Fortinet) Supply Chain Security Fri, 17 Apr 2026 14:50:55 +0000 https://github.com/ossf/malicious-packages https://github.com/ossf/malicious-packages ossf/malicious-packages: Reports of malicious open source packages Supply Chain Security Fri, 17 Apr 2026 14:50:54 +0000 https://spectralops.io/blog/5-examples-of-dependency-confusion-attacks/ https://spectralops.io/blog/5-examples-of-dependency-confusion-attacks/ 5 Examples of Dependency Confusion Attacks (Spectral) Supply Chain Security Fri, 17 Apr 2026 14:50:53 +0000 https://www.aquasec.com/cloud-native-academy/supply-chain-security/dependency-confusion/ https://www.aquasec.com/cloud-native-academy/supply-chain-security/dependency-confusion/ What Is a Dependency Confusion Attack? (Aqua Security) Supply Chain Security Fri, 17 Apr 2026 14:50:53 +0000 https://slsa.dev/blog/2024/08/dep-confusion-and-typosquatting https://slsa.dev/blog/2024/08/dep-confusion-and-typosquatting Defender's Perspective: Dep Confusion and Typosquatting (SLSA) Supply Chain Security Fri, 17 Apr 2026 14:50:52 +0000 https://www.darkreading.com/application-security/sboms-in-2026-some-love-some-hate-much-ambivalence https://www.darkreading.com/application-security/sboms-in-2026-some-love-some-hate-much-ambivalence SBOMs in 2026: Some Love, Some Hate, Much Ambivalence Supply Chain Security Fri, 17 Apr 2026 14:50:51 +0000 https://www.cisa.gov/sbom https://www.cisa.gov/sbom Software Bill of Materials (SBOM) (CISA) Supply Chain Security Fri, 17 Apr 2026 14:50:50 +0000 https://slsa.dev/spec/v1.2/about https://slsa.dev/spec/v1.2/about About SLSA (spec v1.2) Supply Chain Security Fri, 17 Apr 2026 14:50:50 +0000 https://snyk.io/articles/software-bill-of-materials/ https://snyk.io/articles/software-bill-of-materials/ What is a Software Bill of Materials (SBOM)? (Snyk) Supply Chain Security Fri, 17 Apr 2026 14:50:49 +0000 https://arxiv.org/html/2506.03507v1 https://arxiv.org/html/2506.03507v1 SBOM Literature Review (arXiv) Supply Chain Security Fri, 17 Apr 2026 14:50:48 +0000 https://slsa.dev/blog/2022/05/slsa-sbom https://slsa.dev/blog/2022/05/slsa-sbom SBOM + SLSA: Accelerating SBOM success with SLSA Supply Chain Security Fri, 17 Apr 2026 14:50:47 +0000 https://docs.sbom.observer/learn/topics/slsa https://docs.sbom.observer/learn/topics/slsa SLSA - Comprehensive Approach to Supply Chain Security (SBOM Observer) Supply Chain Security Fri, 17 Apr 2026 14:50:47 +0000 https://cycode.com/blog/software-bill-of-materials/ https://cycode.com/blog/software-bill-of-materials/ Understanding SBOM: Transparency & Security in Supply Chains (Cycode) Supply Chain Security Fri, 17 Apr 2026 14:50:46 +0000 https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html What We Know About the NPM Supply Chain Attack (Trend Micro) Supply Chain Security Fri, 17 Apr 2026 14:50:45 +0000 https://thehackernews.com/2025/06/new-supply-chain-malware-operation-hits.html https://thehackernews.com/2025/06/new-supply-chain-malware-operation-hits.html New Supply Chain Malware Operation Hits npm and PyPI Supply Chain Security Fri, 17 Apr 2026 14:50:44 +0000 https://www.upwind.io/feed/npm-supply-chain-attack-massive-compromise-of-debug-chalk-and-16-other-packages https://www.upwind.io/feed/npm-supply-chain-attack-massive-compromise-of-debug-chalk-and-16-other-packages npm Supply Chain Attack: Debug, Chalk + 16 Packages Compromise (Upwind) Supply Chain Security Fri, 17 Apr 2026 14:50:44 +0000 https://thehackernews.com/2025/06/malicious-pypi-npm-and-ruby-packages.html https://thehackernews.com/2025/06/malicious-pypi-npm-and-ruby-packages.html Malicious PyPI, npm, Ruby Packages Exposed (The Hacker News) Supply Chain Security Fri, 17 Apr 2026 14:50:43 +0000 https://xygeni.io/blog/a-closer-look-at-software-supply-chain-attacks-2025/ https://xygeni.io/blog/a-closer-look-at-software-supply-chain-attacks-2025/ A Closer Look at Software Supply Chain Attacks 2025 (Xygeni) Supply Chain Security Fri, 17 Apr 2026 14:50:42 +0000 https://medium.com/@joyichiro/the-pypi-supply-chain-attacks-of-2025-what-every-python-backend-engineer-should-learn-from-the-875ba4568d10 https://medium.com/@joyichiro/the-pypi-supply-chain-attacks-of-2025-what-every-python-backend-engineer-should-learn-from-the-875ba4568d10 The PyPI Supply Chain Attacks of 2025: What Python Engineers Should Learn Supply Chain Security Fri, 17 Apr 2026 14:50:41 +0000 https://securitylabs.datadoghq.com/articles/learnings-from-recent-npm-compromises/ https://securitylabs.datadoghq.com/articles/learnings-from-recent-npm-compromises/ Learnings from Recent npm Supply Chain Compromises - Datadog Supply Chain Security Thu, 16 Apr 2026 21:05:04 +0000 https://www.elastic.co/security-labs/axios-one-rat-to-rule-them-all https://www.elastic.co/security-labs/axios-one-rat-to-rule-them-all Inside the Axios Supply Chain Compromise - Elastic Security Labs Supply Chain Security Thu, 16 Apr 2026 21:05:03 +0000 https://safedep.substack.com/p/lockfile-poisoning-an-attack-vector https://safedep.substack.com/p/lockfile-poisoning-an-attack-vector Lockfile Poisoning: Introducing Malware in Supply Chain - SafeDep Supply Chain Security Thu, 16 Apr 2026 21:05:02 +0000 https://blog.checkpoint.com/research/shai-hulud-2-0-inside-the-second-coming-the-most-aggressive-npm-supply-chain-attack-of-2025/ https://blog.checkpoint.com/research/shai-hulud-2-0-inside-the-second-coming-the-most-aggressive-npm-supply-chain-attack-of-2025/ Shai-Hulud 2.0: Most Aggressive NPM Supply Chain Attack of 2025 - Check Point Supply Chain Security Thu, 16 Apr 2026 21:05:01 +0000 https://blog.gitguardian.com/supply-chain-security-sigstore-and-cosign-part-ii/ https://blog.gitguardian.com/supply-chain-security-sigstore-and-cosign-part-ii/ Supply Chain Security: Sigstore and Cosign - GitGuardian Supply Chain Security Thu, 16 Apr 2026 21:05:01 +0000 https://github.com/DataDog/guarddog https://github.com/DataDog/guarddog GuardDog: CLI Tool to Identify Malicious PyPI and npm Packages Supply Chain Security Thu, 16 Apr 2026 21:05:00 +0000 https://www.sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066 https://www.sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066 tj-actions Supply Chain Attack (CVE-2025-30066) - Sysdig Supply Chain Security Thu, 16 Apr 2026 21:04:59 +0000 https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/ https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/ tj-actions/changed-files Compromised - Semgrep Supply Chain Security Thu, 16 Apr 2026 21:04:58 +0000 https://www.kaspersky.com/blog/supply-chain-attacks-in-2025/55522/ https://www.kaspersky.com/blog/supply-chain-attacks-in-2025/55522/ Most Notable Supply Chain Attacks of 2025 - Kaspersky Supply Chain Security Thu, 16 Apr 2026 21:04:58 +0000 https://www.hunters.security/en/blog/github-actions-supply-chain-attack https://www.hunters.security/en/blog/github-actions-supply-chain-attack GitHub Actions Supply Chain Attacks: tj-actions and reviewdog - Hunters Supply Chain Security Thu, 16 Apr 2026 21:04:57 +0000 https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package DPRK Threat Actor Compromises Axios NPM Package Supply Chain Security Sat, 11 Apr 2026 16:49:02 +0000 https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/ https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/ 16 Minutes to Impact: npm crypto-draining malware Supply Chain Security Sat, 11 Apr 2026 16:49:01 +0000 https://www.paloaltonetworks.com/blog/cloud-security/npm-supply-chain-attack/ https://www.paloaltonetworks.com/blog/cloud-security/npm-supply-chain-attack/ Widespread npm Supply Chain Attack: Billions at Risk Supply Chain Security Sat, 11 Apr 2026 16:49:01 +0000 https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalk https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalk npm Supply Chain Attack: debug, chalk, and Beyond Supply Chain Security Sat, 11 Apr 2026 16:49:00 +0000 https://blog.gitguardian.com/the-nx-s1ngularity-attack-inside-the-credential-leak/ https://blog.gitguardian.com/the-nx-s1ngularity-attack-inside-the-credential-leak/ The Nx s1ngularity Attack: Inside the Credential Leak Supply Chain Security Sat, 11 Apr 2026 16:48:59 +0000 https://www.wiz.io/blog/s1ngularity-supply-chain-attack https://www.wiz.io/blog/s1ngularity-supply-chain-attack s1ngularity: Nx supply chain attack leaks secrets Supply Chain Security Sat, 11 Apr 2026 16:48:58 +0000