Supply Chain Security
Software supply chain security addresses threats that target the dependencies, build systems, and distribution channels that modern applications rely on. High-profile incidents like SolarWinds, Log4Shell, and the xz backdoor demonstrated that attackers increasingly target upstream components rather than applications directly. Supply chain attacks include dependency confusion (substituting malicious packages with names matching internal packages), typosquatting in package registries, compromised maintainer accounts, malicious code injected into build pipelines, and trojanized development tools. Defenses include software bills of materials (SBOMs), dependency pinning and lock files, signature verification, provenance attestation (SLSA framework), regular dependency auditing with tools like Dependabot, Snyk, or Socket, and careful evaluation of new dependencies before adoption.
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-04-22 NEW 2026 | Axios npm Supply Chain Attack: 83M Downloads Hit | Axios npm Supply Chain Attack: 83M Downloads Hit |
| 2026-04-22 NEW 2026 | Axios npm Hijack 2026: Everything You Need to Know | Axios npm Hijack 2026: Everything You Need to Know |
| 2026-04-22 NEW 2026 | TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files | TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files |
| 2026-04-22 NEW 2026 | litellm: Credential Stealer Hidden in PyPI Wheel | litellm: Credential Stealer Hidden in PyPI Wheel |
| 2026-04-22 NEW 2026 | What's Coming to Our GitHub Actions 2026 Security Roadmap | What's Coming to Our GitHub Actions 2026 Security Roadmap |
| 2026-04-22 NEW 2026 | Shai-Hulud npm Supply Chain Attack: New Compromised Packages Detected | Shai-Hulud npm Supply Chain Attack: New Compromised Packages Detected |
| 2026-04-22 NEW 2026 | LiteLLM and Telnyx Compromised on PyPI: Tracing the TeamPCP Supply Chain Campaign | LiteLLM and Telnyx Compromised on PyPI: Tracing the TeamPCP Supply Chain Campaign |
| 2026-04-22 NEW 2026 | Keeping Your GitHub Actions Secure Part 1: Preventing Pwn Requests | Keeping Your GitHub Actions Secure Part 1: Preventing Pwn Requests |
| 2026-04-22 NEW 2026 | GitHub Actions Security Pt 1: Attacks & Defenses (Wiz) | GitHub Actions Security Pt 1: Attacks & Defenses (Wiz) |
| 2026-04-19 NEW 2026 | Shai-Hulud: A Persistent Secret Leaking Campaign — GitGuardian | Shai-Hulud: A Persistent Secret Leaking Campaign — GitGuardian |
| 2026-04-19 NEW 2026 | Defending Against npm Supply Chain Attacks — Splunk | Defending Against npm Supply Chain Attacks — Splunk |
| 2026-04-19 NEW 2026 | Multiple Supply Chain Attacks against npm Packages — Red Hat | Multiple Supply Chain Attacks against npm Packages — Red Hat |
| 2026-04-19 NEW 2026 | Shai-Hulud Malware: Second-Wave npm Supply Chain Attack | Shai-Hulud Malware: Second-Wave npm Supply Chain Attack |
| 2026-04-19 NEW 2026 | CISA: Widespread Supply Chain Compromise Impacting npm Ecosystem | CISA: Widespread Supply Chain Compromise Impacting npm Ecosystem |
| 2026-04-17 NEW 2026 | Closing the Chain: How to reduce SolarWinds/Log4j/XZ risk (arXiv) | Closing the Chain: How to reduce SolarWinds/Log4j/XZ risk (arXiv) |
| 2026-04-17 NEW 2026 | SolarWinds Supply Chain Attack (Fortinet) | SolarWinds Supply Chain Attack (Fortinet) |
| 2026-04-17 NEW 2026 | ossf/malicious-packages: Reports of malicious open source packages | ossf/malicious-packages: Reports of malicious open source packages |
| 2026-04-17 NEW 2026 | 5 Examples of Dependency Confusion Attacks (Spectral) | 5 Examples of Dependency Confusion Attacks (Spectral) |
| 2026-04-17 NEW 2026 | What Is a Dependency Confusion Attack? (Aqua Security) | What Is a Dependency Confusion Attack? (Aqua Security) |
| 2026-04-17 NEW 2026 | Defender's Perspective: Dep Confusion and Typosquatting (SLSA) | Defender's Perspective: Dep Confusion and Typosquatting (SLSA) |
| 2026-04-17 NEW 2026 | SBOMs in 2026: Some Love, Some Hate, Much Ambivalence | SBOMs in 2026: Some Love, Some Hate, Much Ambivalence |
| 2026-04-17 NEW 2026 | Software Bill of Materials (SBOM) (CISA) | Software Bill of Materials (SBOM) (CISA) |
| 2026-04-17 NEW 2026 | About SLSA (spec v1.2) | About SLSA (spec v1.2) |
| 2026-04-17 NEW 2026 | What is a Software Bill of Materials (SBOM)? (Snyk) | What is a Software Bill of Materials (SBOM)? (Snyk) |
| 2026-04-17 NEW 2026 | SBOM Literature Review (arXiv) | SBOM Literature Review (arXiv) |
| 2026-04-17 NEW 2026 | SBOM + SLSA: Accelerating SBOM success with SLSA | SBOM + SLSA: Accelerating SBOM success with SLSA |
| 2026-04-17 NEW 2026 | SLSA - Comprehensive Approach to Supply Chain Security (SBOM Observer) | SLSA - Comprehensive Approach to Supply Chain Security (SBOM Observer) |
| 2026-04-17 NEW 2026 | Understanding SBOM: Transparency & Security in Supply Chains (Cycode) | Understanding SBOM: Transparency & Security in Supply Chains (Cycode) |
| 2026-04-17 NEW 2026 | What We Know About the NPM Supply Chain Attack (Trend Micro) | What We Know About the NPM Supply Chain Attack (Trend Micro) |
| 2026-04-17 NEW 2026 | New Supply Chain Malware Operation Hits npm and PyPI | New Supply Chain Malware Operation Hits npm and PyPI |
| 2026-04-17 NEW 2026 | npm Supply Chain Attack: Debug, Chalk + 16 Packages Compromise (Upwind) | npm Supply Chain Attack: Debug, Chalk + 16 Packages Compromise (Upwind) |
| 2026-04-17 NEW 2026 | Malicious PyPI, npm, Ruby Packages Exposed (The Hacker News) | Malicious PyPI, npm, Ruby Packages Exposed (The Hacker News) |
| 2026-04-17 NEW 2026 | A Closer Look at Software Supply Chain Attacks 2025 (Xygeni) | A Closer Look at Software Supply Chain Attacks 2025 (Xygeni) |
| 2026-04-17 NEW 2026 | The PyPI Supply Chain Attacks of 2025: What Python Engineers Should Learn | The PyPI Supply Chain Attacks of 2025: What Python Engineers Should Learn |
| 2026-04-16 NEW 2026 | Learnings from Recent npm Supply Chain Compromises - Datadog | Learnings from Recent npm Supply Chain Compromises - Datadog |
| 2026-04-16 NEW 2026 | Inside the Axios Supply Chain Compromise - Elastic Security Labs | Inside the Axios Supply Chain Compromise - Elastic Security Labs |
| 2026-04-16 NEW 2026 | Lockfile Poisoning: Introducing Malware in Supply Chain - SafeDep | Lockfile Poisoning: Introducing Malware in Supply Chain - SafeDep |
| 2026-04-16 NEW 2026 | Shai-Hulud 2.0: Most Aggressive NPM Supply Chain Attack of 2025 - Check Point | Shai-Hulud 2.0: Most Aggressive NPM Supply Chain Attack of 2025 - Check Point |
| 2026-04-16 NEW 2026 | Supply Chain Security: Sigstore and Cosign - GitGuardian | Supply Chain Security: Sigstore and Cosign - GitGuardian |
| 2026-04-16 NEW 2026 | GuardDog: CLI Tool to Identify Malicious PyPI and npm Packages | GuardDog: CLI Tool to Identify Malicious PyPI and npm Packages |
| 2026-04-16 NEW 2026 | tj-actions Supply Chain Attack (CVE-2025-30066) - Sysdig | tj-actions Supply Chain Attack (CVE-2025-30066) - Sysdig |
| 2026-04-16 NEW 2026 | tj-actions/changed-files Compromised - Semgrep | tj-actions/changed-files Compromised - Semgrep |
| 2026-04-16 NEW 2026 | Most Notable Supply Chain Attacks of 2025 - Kaspersky | Most Notable Supply Chain Attacks of 2025 - Kaspersky |
| 2026-04-16 NEW 2026 | GitHub Actions Supply Chain Attacks: tj-actions and reviewdog - Hunters | GitHub Actions Supply Chain Attacks: tj-actions and reviewdog - Hunters |
| 2026-04-11 2026 | DPRK Threat Actor Compromises Axios NPM Package | DPRK Threat Actor Compromises Axios NPM Package |
| 2026-04-11 2026 | 16 Minutes to Impact: npm crypto-draining malware | 16 Minutes to Impact: npm crypto-draining malware |
| 2026-04-11 2026 | Widespread npm Supply Chain Attack: Billions at Risk | Widespread npm Supply Chain Attack: Billions at Risk |
| 2026-04-11 2026 | npm Supply Chain Attack: debug, chalk, and Beyond | npm Supply Chain Attack: debug, chalk, and Beyond |
| 2026-04-11 2026 | The Nx s1ngularity Attack: Inside the Credential Leak | The Nx s1ngularity Attack: Inside the Credential Leak |
| 2026-04-11 2026 | s1ngularity: Nx supply chain attack leaks secrets | s1ngularity: Nx supply chain attack leaks secrets |
| 2026-04-11 2026 | CISA 2025 Minimum Elements for SBOM | CISA 2025 Minimum Elements for SBOM |
| 2026-04-11 2026 | SLSA 3 Compliance with GitHub Actions and Sigstore | SLSA 3 Compliance with GitHub Actions and Sigstore |
| 2026-04-11 2026 | cosign Verification of npm Provenance and GitHub Attestations | cosign Verification of npm Provenance and GitHub Attestations |
| 2026-04-11 2026 | Securing CI/CD After tj-actions and reviewdog Attacks | Securing CI/CD After tj-actions and reviewdog Attacks |
| 2026-04-11 2026 | GitHub Actions Supply Chain Attack: Coinbase to tj-actions | GitHub Actions Supply Chain Attack: Coinbase to tj-actions |
| 2026-04-11 2026 | tj-actions/changed-files supply chain attack | tj-actions/changed-files supply chain attack |
| 2026-04-11 2026 | tj-actions/changed-files compromise (CVE-2025-30066) | tj-actions/changed-files compromise (CVE-2025-30066) |
| 2026-04-11 2026 | XZ Backdoor CVE-2024-3094 - JFrog | XZ Backdoor CVE-2024-3094 - JFrog |
| 2026-04-11 2026 | xz Backdoor CVE-2024-3094 - OpenSSF | xz Backdoor CVE-2024-3094 - OpenSSF |
| 2026-04-11 2026 | XZ Utils backdoor (CVE-2024-3094) overview | XZ Utils backdoor (CVE-2024-3094) overview |
| 2026-04-11 2026 | Ultralytics PyPI package delivers coinminer | Ultralytics PyPI package delivers coinminer |
| 2026-04-11 2026 | Supply-chain attack analysis: Ultralytics | Supply-chain attack analysis: Ultralytics |
| 2026-04-11 2026 | GitLab discovers widespread npm supply chain attack | GitLab discovers widespread npm supply chain attack |
| 2026-04-11 2026 | Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages | Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages |
| 2026-04-11 2026 | Shai-Hulud npm supply chain attack overview | Shai-Hulud npm supply chain attack overview |
| 2026-04-11 2026 | Shai-Hulud Worm Compromises npm Ecosystem | Shai-Hulud Worm Compromises npm Ecosystem |
| 2026-04-11 2026 | Shai-Hulud 2.0: 25K+ Repos Exposed | Shai-Hulud 2.0: 25K+ Repos Exposed |
| 2026-04-11 2026 | Shai-Hulud 2.0: Detection and Defense Guidance | Shai-Hulud 2.0: Detection and Defense Guidance |
| 2026-04-11 2026 | Shai-Hulud 2.0 npm worm: analysis | Shai-Hulud 2.0 npm worm: analysis |
| 2026-04-10 2026 | Supply Chain Attacks Are Exploiting Our Assumptions | Supply Chain Attacks Are Exploiting Our Assumptions |
| 2026-04-10 2026 | Protecting Your Software Supply Chain: Typosquatting and Dependency Confusion | Protecting Your Software Supply Chain: Typosquatting and Dependency Confusion |
| 2026-04-10 2026 | LiteLLM PyPI Packages Compromised in TeamPCP Supply Chain Attacks | LiteLLM PyPI Packages Compromised in TeamPCP Supply Chain Attacks |
| 2026-04-10 2026 | Supply-Chain Attack Defense: Developer Host Machine Hardening | Supply-Chain Attack Defense: Developer Host Machine Hardening |
| 2026-04-10 2026 | TeamPCP Credential Infostealer Chain Attack Reaches Python's LiteLLM | TeamPCP Credential Infostealer Chain Attack Reaches Python's LiteLLM |
| 2026-04-10 2026 | Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers | Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers |
| 2026-04-10 2026 | N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust | N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust |
| 2026-04-10 2026 | The Next Wave of Supply Chain Attacks: NPM, PyPI, and Docker Hub | The Next Wave of Supply Chain Attacks: NPM, PyPI, and Docker Hub |
| 2026-04-10 2026 | PyPI, npm, and the New Frontline of Software Supply Chain Attacks | PyPI, npm, and the New Frontline of Software Supply Chain Attacks |
| 2026-04-10 2026 | Malicious PyPI and npm Packages Exploiting Dependencies in Supply Chain Attacks | Malicious PyPI and npm Packages Exploiting Dependencies in Supply Chain Attacks |
| 2026-04-10 2026 | Supply Chain Attack: How Attackers Weaponize Software | Supply Chain Attack: How Attackers Weaponize Software |
| 2026-04-10 2026 | 2026 Supply Chain Security Report: Attack Analysis | 2026 Supply Chain Security Report: Attack Analysis |
| 2026-04-10 2026 | Securing Software Supply Chains: 2026 Priorities | Securing Software Supply Chains: 2026 Priorities |
| 2026-04-10 2026 | 2026 Software Supply Chain Report | 2026 Software Supply Chain Report |
| 2026-04-10 2026 | Supply Chain Attacks 2025-2026: Axios, Shai-Hulud, and More | Supply Chain Attacks 2025-2026: Axios, Shai-Hulud, and More |
| 2026-04-06 2026 | How to Prevent OWASP Software Supply Chain Failures | How to Prevent OWASP Software Supply Chain Failures |
| 2026-04-06 2026 | Axios Compromise on npm Introduces Hidden Malicious Package | Axios Compromise on npm Introduces Hidden Malicious Package |
| 2026-04-06 2026 | NPM Supply Chain Attacks Explained: Dependency Confusion Exploits and Defense | NPM Supply Chain Attacks Explained: Dependency Confusion Exploits and Defense |
| 2026-04-06 2026 | Axios npm Package Compromised in Supply Chain Attack | Axios npm Package Compromised in Supply Chain Attack |
| 2026-04-06 2026 | The 2026 Guide to Software Supply Chain Security | The 2026 Guide to Software Supply Chain Security |
| 2026-04-03 2026 | 12 Months That Changed Supply Chain Security - 2025 Month by Month | 12 Months That Changed Supply Chain Security - 2025 Month by Month |
| 2026-04-03 2026 | Securing the Software Supply Chain: OpenSSF, SLSA, SBOM, and Sigstore | Securing the Software Supply Chain: OpenSSF, SLSA, SBOM, and Sigstore |
| 2026-04-03 2026 | OWASP Top 10 2025: A03 Software Supply Chain Failures (Beginner's Guide) | OWASP Top 10 2025: A03 Software Supply Chain Failures (Beginner's Guide) |
| 2026-04-03 2026 | SLSA Framework: The Definitive Guide for Securing Your Software Supply Chain | SLSA Framework: The Definitive Guide for Securing Your Software Supply Chain |
| 2026-04-03 2026 | Five Key Flaws Exploited in 2025's Software Supply Chain Incidents | Five Key Flaws Exploited in 2025's Software Supply Chain Incidents |
| 2026-04-03 2026 | Predictions for Open Source Security in 2025 | OpenSSF | Predictions for Open Source Security in 2025 | OpenSSF |
| 2026-04-03 2026 | Supply Chain Attacks in Q4 2025: From Isolated Incidents to Systemic Failure Modes | Supply Chain Attacks in Q4 2025: From Isolated Incidents to Systemic Failure Modes |
| 2026-04-03 2026 | Supply Chain Security in CI: SBOMs, SLSA, and Sigstore | Supply Chain Security in CI: SBOMs, SLSA, and Sigstore |
| 2026-04-03 2026 | SLSA - Supply-chain Levels for Software Artifacts | SLSA - Supply-chain Levels for Software Artifacts |
| 2026-04-03 2026 | A03 Software Supply Chain Failures - OWASP Top 10:2025 | A03 Software Supply Chain Failures - OWASP Top 10:2025 |
| 2026-04-03 2026 | What is Supply Chain Security? | Glossary | Supply chain security focuses on risk management of external suppliers, vendors, logistics, and transportation. |
Frequently Asked Questions
- What is a software supply chain attack?
- A supply chain attack targets the components, tools, or processes used to build software rather than the application itself. This includes compromising open-source packages, injecting malicious code into build pipelines, hijacking maintainer accounts, or distributing trojanized development tools — allowing attackers to affect thousands of downstream users simultaneously.
- What is dependency confusion?
- Dependency confusion (also called namespace confusion) exploits how package managers resolve dependencies. An attacker publishes a malicious package to a public registry with the same name as a private internal package. If the build system checks the public registry first or prefers higher version numbers, it installs the attacker's package instead of the legitimate internal one.
- How do you defend against supply chain attacks?
- Key defenses include maintaining a Software Bill of Materials (SBOM), using lock files and dependency pinning, enabling automated dependency scanning (Dependabot, Snyk, Socket), verifying package signatures and provenance, adopting the SLSA framework for build integrity, using private registries with allow-lists, and regularly auditing your dependency tree for known vulnerabilities.
Weekly AppSec Digest
Get new resources delivered every Monday.