GitHub now offers immutable releases that protect software assets and tags from modification after publication. This feature enhances security by preventing tampering and includes signed attestations for verifying authenticity. Users can enable this at the repository or organization level.

Socket has launched a Threat Intel page that tracks ongoing supply chain attack campaigns affecting open-source packages. The new feature helps teams quickly determine if they are impacted by these coordinated attacks and provides context for affected packages.

The article details a targeted malware attack disguised as a freelance job opportunity on LinkedIn. It breaks down how the malicious code was embedded in a GitLab repository and outlines key warning signs for developers to watch for to avoid similar scams.

Researchers found insecure bootstrap scripts in legacy Python packages that could allow attackers to exploit a domain takeover. The scripts fetch an outdated installation package from a now-available domain, which poses a risk of executing malicious code. Some affected packages have removed the scripts, but others, like slapos.core, still include them.

The article discusses six newly discovered JavaScript zero-day vulnerabilities that could allow attackers to exploit package managers and execute malicious code. Experts warn that these flaws could enable large-scale supply chain attacks, especially if attackers gain access to package maintainers' credentials. The need for stronger security measures in software supply chains is emphasized.

This article provides a comprehensive analysis of the Shai Hulud 2.0 supply chain attack, detailing the compromised code libraries and the extent of the breaches. It also lists tools and methods for detecting and mitigating the impact of these attacks, emphasizing the importance of version pinning and runtime monitoring.

The article argues that using dependency cooldowns can significantly reduce the risk of open source supply chain attacks. By waiting a set period after a dependency is published before using it, developers can avoid most threats while vendors monitor for issues. The author emphasizes that this approach is simple and free to implement.

npm is implementing a staged publishing model to add a review step before packages go live, following a series of supply chain attacks in 2025. This change aims to give maintainers a chance to catch malicious or unintended changes before they are published. The new process requires multi-factor authentication for approval during the staging period.

This article details a significant npm supply chain attack that compromised an engineer's credentials, allowing unauthorized access to multiple repositories. The attacker cloned 669 repositories and closed numerous pull requests before being detected and removed from the GitHub organization. Thankfully, published packages remained secure throughout the incident.

Security researchers identified a major flaw in the AWS Console that could have allowed attackers to seize control of key GitHub repositories, potentially leading to widespread supply chain attacks. The vulnerability, linked to a misconfiguration in AWS CodeBuild CI pipelines, has been addressed by AWS following its disclosure in August 2025. Users are advised to implement certain security measures to mitigate risks.

The article details a supply chain attack on Notepad++, where attackers compromised the update infrastructure between June and September 2025. It outlines various infection chains, unique payloads, and the methods used to gather system information and install malicious software. Kaspersky's solutions successfully blocked these attacks as they unfolded.

The lotusbail npm package masquerades as a legitimate WhatsApp API library but contains sophisticated malware that steals user credentials, messages, and contacts. It captures data by intercepting communications and uses custom encryption to evade detection. Even after uninstalling the package, attackers retain access to compromised accounts.

A state-sponsored group, Lotus Blossom, compromised Notepad++'s hosting infrastructure, allowing them to serve malicious updates to targeted users in Southeast Asia. The attack leveraged DLL sideloading and Lua script injections to deliver malware, affecting various sectors globally.

This article discusses how modern software products rely on a complex web of external dependencies, making supply chain risk a critical concern for product engineering teams. It emphasizes the need for trust verification and security measures to prevent compromises from third-party components. The framework SLSA is presented as a solution for establishing software integrity.

GlassWorm malware has reappeared in Visual Studio Code extensions just weeks after being declared eradicated. The worm uses invisible Unicode characters to hide its code and is now also infecting GitHub repositories, posing risks to developers and critical infrastructure worldwide.

Security flaws in npm's defenses against supply-chain attacks allow hackers to bypass protections through Git dependencies. Although other package managers have patched their vulnerabilities, npm rejected a vulnerability report from Koi Security, claiming users must vet package content themselves.

The article discusses a recent supply chain attack targeting the npm ecosystem, which compromised the Shai Hulud package. It highlights the implications of such attacks on software security, emphasizing the need for vigilance in managing dependencies and securing the software supply chain.

Dalec is a project focused on providing a secure, declarative format for building system packages and containers, emphasizing supply chain security. It supports various operating systems and ensures minimal image sizes to reduce vulnerabilities, while allowing for contributions under a Contributor License Agreement.

Google has launched OSS Rebuild to enhance trust in open source software by automating the reproduction of package builds and generating SLSA Provenance. This initiative aims to improve security against supply chain attacks while minimizing the burden on package maintainers. By providing tools for build verification and observability, OSS Rebuild seeks to empower security teams and improve the integrity of open source software ecosystems.

The article discusses a major npm supply chain hack affecting the eslint-config-prettier package, highlighting the risks associated with third-party dependencies in software development. It emphasizes the importance of securing package management ecosystems to prevent similar vulnerabilities in the future.

Hundreds of e-commerce sites have been compromised in a supply-chain attack that allowed malware to execute malicious code in visitors' browsers, potentially stealing sensitive payment information. The attack involved at least three software providers and may have affected up to 1,000 sites, with the malware remaining dormant for six years before activation. Security firm Sansec reported limited global remediation efforts for the affected customers, including a major multinational company.

The article discusses GitHub's Dependency Graph, a feature that helps developers visualize and understand their software's supply chain by mapping out dependencies. This tool enhances security by allowing users to identify vulnerabilities in their dependencies and manage them effectively, promoting better supply chain security practices.

A recent supply chain attack has compromised several npm packages, allowing the distribution of backdoor malware. This incident highlights vulnerabilities in the software supply chain, emphasizing the need for enhanced security measures in package management systems.

A report has revealed that 40 npm packages have been compromised as part of a supply chain attack, exposing vulnerabilities that could potentially affect thousands of projects. The malicious packages were designed to steal sensitive data and create backdoors for attackers, highlighting the ongoing risks in open-source software ecosystems. Developers are urged to review their dependencies and ensure they are not using affected packages.

A recent NPM supply chain attack involving a self-propagating worm called Shai-Hulud has highlighted the vulnerability of package registries like NPM. Sysdig's Threat Intelligence Feed offers real-time insights into these threats, enabling organizations to quickly assess their exposure and respond effectively. By monitoring malicious NPM packages, Sysdig aids security teams in identifying risks and taking action promptly.

GitLab has identified a supply chain attack targeting the MongoDB Go module, which could potentially compromise users by introducing malicious code. The attack highlights the ongoing risks associated with software supply chains and underscores the importance of security measures in open-source ecosystems. GitLab's response and mitigation efforts aim to protect its users and maintain the integrity of its platform.

OSS Rebuild is a new initiative aimed at enhancing trust in open source package ecosystems by enabling the reproduction of upstream artifacts. This project automates the creation of build definitions for popular package registries, providing security teams with valuable data to mitigate supply chain attacks while minimizing the burden on package maintainers. It seeks to improve transparency and security across various open source ecosystems, starting with support for PyPI, npm, and Crates.io.

Open-source software (OSS) is increasingly vulnerable to supply chain attacks that exploit the trust developers place in widely-used libraries and tools. Notable incidents, including attacks on Solana's Web3.js and Amazon's Q extension, demonstrate how malicious actors can compromise critical components, leading to significant security breaches. The article emphasizes the need for improved security measures and governance in the open-source ecosystem.

CI/CD servers are vulnerable to attacks that can compromise source code and sensitive data, making their security critical. The article outlines essential steps to enhance the security of CI/CD servers and highlights the risks associated with security breaches. By prioritizing security measures, organizations can protect themselves from potential data breaches and attacks.

The XZ Utils backdoor, originally discovered in 2024, continues to pose a risk as several Docker images built from compromised Debian packages still contain the malicious code. Despite efforts to notify Debian maintainers for removal, these infected images remain publicly available, highlighting the persistent threat of backdoored software in the container ecosystem. Binarly's research emphasizes the need for continuous monitoring and detection of such vulnerabilities to protect the software supply chain.

Researchers discovered vulnerabilities in the Nix ecosystem related to GitHub Actions, specifically concerning the pull_request_target event, which could allow for supply chain attacks and command injection. They identified two significant flaws: one involving xargs and the other enabling symbolic link exploitation, leading to unauthorized access to sensitive data. The maintainers acted quickly to disable the vulnerable workflows and implement fixes.

The article discusses the vulnerabilities in the npm supply chain and emphasizes the importance of securing software dependencies. It highlights insights from industry expert Brian Fox on how to mitigate risks associated with open-source components. The piece advocates for better practices and tools to enhance security in software development.

GitHub outlines its strategy to enhance the security of the npm supply chain, focusing on improving the safety of open-source software dependencies. The plan includes implementing better verification processes and tools to mitigate risks associated with malicious packages and vulnerabilities.

The content appears to be corrupted or unreadable, making it impossible to derive meaningful information or insights from it. As a result, no summary can be provided based on the visible text.

The Ripple cryptocurrency library "xrpl.js" was compromised, allowing attackers to steal XRP wallet seeds and private keys through malicious code in several versions. Users are urged to upgrade to the clean version 4.2.5 immediately to mitigate potential theft of funds. The attack resembles previous supply chain threats faced by other cryptocurrency libraries.

The article discusses the escalating risks associated with NPM supply chain attacks, highlighting Microsoft's role as a "bad actor" in software security. It reflects on past incidents and emphasizes the need for better security measures in the software ecosystem to prevent exploitation by malicious actors.

ReARM is a DevSecOps tool developed by Reliza for managing product releases and their associated metadata, including various Bills of Materials (SBOMs and xBOMs). It emphasizes compliance with multiple regulatory frameworks while minimizing overhead for developers, offering features like automated release versioning, integration with CI systems, and a community edition for public use.

A significant vulnerability was discovered in the Open VSX marketplace, which could allow attackers to gain full control over millions of developer machines by publishing malicious updates to extensions. This flaw, rooted in a CI issue, underscores the risks associated with untrusted third-party software in development environments.

The npm author Qix was targeted in a significant supply chain attack through a phishing email that spoofed npm branding, tricking the author into compromising their account. Malicious code was introduced into several packages, redirecting cryptocurrency transactions to the attacker's addresses, highlighting the persistent threat of phishing in the open-source ecosystem.

Developer environments are increasingly vulnerable to security risks due to the rise of agentic coding assistants, which interact with systems in complex ways that can introduce malicious code and escalate privileges. The lack of built-in security features in Model Context Protocol servers and rules files exacerbates these risks, leading to potential supply chain attacks. To mitigate these threats, organizations should implement traditional best practices such as sandboxing, supply chain scrutiny, and enhanced monitoring of coding assistant workflows.

Nix provides a robust solution for maintaining secure software supply chains by enabling organizations to prove the integrity and origin of their software without the burdens of air-gapped environments or outdated packages. It addresses regulatory demands for transparency and verifiability, allowing developers to work more efficiently while ensuring compliance and security. The article outlines how Nix can facilitate reproducible builds and enhance trust in software delivery processes.

Witness is a dynamic CLI tool that enhances software supply chain security by creating an audit trail throughout the software development lifecycle (SDLC) using the in-toto specification. It features a policy engine for enforcement, supports various integrations, and allows for keyless signing and attestation storage. The tool is maintained by the open community and offers both free and commercial support options.