Tag: software supply chain
74 articles

DevSecOps Becomes Essential for Modern Government IT
As AI-assisted development accelerates delivery timelines, it's also introducing new risks, with vulnerability disclosures related to AI-assisted development skyrocketing in 2026 and leaving security leaders scrambling to harden defenses. With adversaries using AI to fuel attacks, the need for DevSecOps has never been more pressing.

AI Reshapes Software Supply Chain Security Risks
The software supply chain security landscape has dramatically shifted in just 20 months, with AI tools and models now integral to building, deploying, and running software - and bringing new risks to the table. The old question of "what's in your code?" has given way to a more complex concern: what happens when AI coding assistants and autonomous agents start suggesting or producing code?

LLMs Expose Software Supply Chain to Phantom Squatting Threat
Imagine a hidden threat lurking in the software supply chain, where 250,000 "phantom" domains lie waiting to be claimed by malicious actors - a vulnerability uncovered in a staggering 2.1 million URLs generated by LLMs. This phantom squatting threat has the potential to compromise security, and it's essential to understand its scope and impact.

AI Code Review Foils Malicious Backdoor in Python Project
When Roman Imankulov analyzed a suspicious Python project with his AI agent, it quickly flagged a malicious backdoor, saving him from a potentially disastrous mistake. The AI code review proved to be a crucial safeguard, alerting Imankulov to walk away from the tainted code.

Mastra Packages Compromised in Software Supply Chain Attack
A massive software supply chain attack just hit Mastra, with over 140 malicious packages published in a single day by a compromised npm account. The swift and coordinated assault, dubbed easy-day-js, unfolded over just two days, catching defenders scrambling to respond.

Microsoft Probes Miasma Campaign as GitHub Repos Remain Offline
Microsoft swiftly took action to safeguard its customers and the broader ecosystem by temporarily removing some GitHub repositories while investigating a software supply chain intrusion. The company has since restored some, but others remain offline as the probe continues.

Gitea Flaw Exposes Private Container Images to Unauthenticated Attacks
A newly disclosed vulnerability in Gitea, tracked as CVE-2026-27771, allows unauthenticated attackers to access private container images, potentially exposing tens of thousands of deployments worldwide. This flaw lets anyone on the internet pull private images without needing an account, password, or credentials.

Shai-Hulud Malware Targets 600 Npm Packages in Supply-Chain Attack
In a shocking supply-chain attack, malicious Shai-Hulud malware targeted a staggering 600 npm packages, with researchers uncovering nearly 640 tainted versions across 323 unique libraries in just one hour. The assault hit popular ecosystems like @antv and spread to widely-used packages, leaving a trail of poisoned code in its wake.

OpenAI Disrupted in TanStack npm Supply Chain Breach
Malicious packages have rocked the TanStack npm supply chain, with 84 tainted versions of 42 @tanstack/* packages published, drawing OpenAI into the crisis and prompting urgent action to secure its systems. The AI company has confirmed that attackers compromised two employee devices, stealing credentials and forcing a reset across multiple desktop products.

RubyGems Disrupts Signups Amid Malicious Package Surge
RubyGems has temporarily halted new account registrations amid a significant surge in malicious packages, with security experts warning of a major attack on the platform. The move comes as Mend.io, the organization responsible for securing RubyGems, works to contain the incident.

AI-BOMs Emerge to Secure Enterprise AI Supply Chains
Imagine biting into a mysterious birthday cake without knowing its ingredients or who baked it - that's what it's like for enterprises trying to secure their AI supply chains without visibility into the components used to build their AI systems. Traditional software bills of materials just aren't cutting it in this new landscape.

CVE Feeds Overlook End-of-Life Software Vulnerabilities
The blind spot in CVE feeds is leaving end-of-life software vulnerabilities flying under the radar, with a staggering 167,286 false negatives identified in 2025 alone. This oversight can have serious consequences, as outdated software can still be exploited, even if it's no longer receiving patches.

Trellix Breach Exposes Source Code to Threat Actors
Trellix has confirmed a breach of its internal development assets, revealing that threat actors gained unauthorized access to a portion of its source code repository. The company is working with experts to investigate and has found no evidence that its source code has been exploited so far.

Trellix Source Code Repository Breached
Trellix revealed a breach of its source-code repository over the weekend, but fortunately found no signs of exploitation or compromise to its code release process. The company is still investigating and has promised to share more details once it's completed.

Trellix Breach Exposes Source Code Repository
Trellix has confirmed a security incident involving unauthorized access to part of its source code repository, and is working closely with forensic experts and law enforcement to investigate. The company is reviewing the breach and will share updates as more information becomes available.

Malicious Ruby Gems, Go Modules Exploit CI Pipelines for Credential Theft
Malicious actors are targeting developers and CI pipelines with fake Ruby Gems and Go Modules, masquerading as familiar libraries to steal credentials. The campaign, linked to the GitHub account BufferZoneCorp, poses a significant threat to software supply chains.

Supply-Chain Attack Targets Security, Dev Tools with Credential Theft
Malicious hackers are exploiting the very tools developers rely on, including security scanners and password managers, to steal sensitive credentials and gain unauthorized access. This latest supply-chain attack has already hit major players like Checkmarx, compromising their GitHub repository and potentially putting customer data at risk.

Medtronic Discloses Cyber Breach by ShinyHunters Gang
Medtronic recently reported a cyber breach by the ShinyHunters gang to federal authorities and the SEC, revealing that hackers had infiltrated its corporate IT system. Fortunately, the company has found no evidence that patient safety or electronic connections to customers were compromised.

Cloudsmith Bolsters Software Supply-Chain Security with $72M Raise
Cloudsmith just secured $72 million to supercharge its artifact management platform and take software supply-chain security to the next level. With a strong artifact management layer in place, companies can enjoy the added benefit of a secure software supply chain.

Checkmarx KICS Tool Compromised in Supply-Chain Breach
A critical vulnerability was discovered in the Checkmarx KICS tool due to a supply-chain breach, where a malicious Docker image was briefly hosted on DockerHub, exposing users to potential security risks between April 22, 2026, 14:17:59 UTC and 15:41:31 UTC. The breach was quickly identified and rectified, with affected tags restored and malicious images removed.

OpenAI Revokes macOS Certs Amid Supply Chain Breach Fallout
A recent supply chain breach has raised concerns about software trustworthiness, prompting OpenAI to revoke its macOS code-signing certificates after a malicious package was executed in its build pipeline. This swift action highlights the vulnerability of even the most secure systems to supply chain attacks.

Microsoft Disrupts Open-Source Projects with Sudden Account Suspensions
Microsoft's sudden suspension of developer accounts has left maintainers of popular open-source projects locked out, unable to publish crucial security patches and software updates for Windows users. This abrupt move has sparked concern, with many wondering who will keep the digital roof fixed when the people who make the essential tools are shut out.

North Korea-linked actor compromises axios NPM package
A shocking discovery by Google Threat Intelligence Group has exposed a vulnerability in the popular axios NPM package, which has over 100 million weekly downloads, and has raised urgent questions about the trustworthiness of software supply chains. A malicious dependency was secretly introduced into axios releases, putting countless applications at risk.

Mercor Hit in Widespread LiteLLM Supply-Chain Attack
Thousands of companies, including AI hiring startup Mercor, have been hit by a widespread LiteLLM supply-chain attack, marking the first publicly disclosed downstream casualty of a software supply-chain intrusion. This incident raises a critical question: how can organizations trust their tech toolchains when the chain itself can be compromised?