FeedExploreAsk AIAlertsSavedProfile

Categories

AICybersecurityInfrastructureDatabaseTech Updates

Tech news that matters.

← All research

Cybersecurity

Software supply-chain security

How modern attacks move through dependencies, build systems, and image registries — and the defences (SLSA, sigstore, SBOMs) that block them.

Software supply-chain attacks compromise the trust chain between an open-source maintainer's laptop and your production workload. The notorious examples — SolarWinds, Log4j, the XZ backdoor — each exploited a different link in that chain.

Notifire tracks the practical defences engineering teams are deploying: SLSA provenance attestations, sigstore/cosign image signatures, deps.dev for transitive-dependency scoring, and admission controllers that refuse unsigned artifacts.

Latest briefings on Software supply-chain security

  • Security

    Four Malicious npm Packages Discovered

    Cybersecurity researchers have identified four malicious packages on the npm registry: `chalk-tempalte`, `@deadcode09284814/axios-util`, `axois-utils`, and `color-style-utils`. These packages were designed to steal information from developer systems and have been downloaded thousands of times.

    Neeraj Dhiman ·

  • Tech

    The Future of Package Tracking Is a Smart Sticker

    Samsara has launched a smart, single-use Bluetooth adhesive label for packages. The Samsara Tracking Label provides near-real-time visibility into a shipment's location, making it easier than ever to track deliveries from dispatch to destination.

    Taranpreet Singh · 1w ago

  • Security

    Secure JavaScript projects with one command

    DepsGuard is a new open-source tool that simplifies securing JavaScript projects. It applies recommended security settings, like package cooldowns and disabling install scripts, across multiple package managers (npm, pnpm, yarn, bun, uv) with a single command, addressing common supply chain vulnerabilities.

    Neeraj Dhiman · 2w ago

  • Tech

    Extreme Heat Is a Growing Economic Threat

    Extreme heat is no longer just a climate issue; it's a growing economic problem. Rising temperatures are reducing worker productivity, slowing supply chains, and threatening economic growth in countries like India.

    Navdeep Kaur Mahal · 2w ago

  • Security

    Recent Flaws Highlight Systemic Risks

    A series of high-impact security incidents, including a mail server zero-day, poisoned npm packages, and a fake AI repository, highlight a dangerous trend. Attackers are exploiting single points of failure in software supply chains and cloud infrastructure to launch widespread, cascading attacks.

    Neeraj Dhiman · 2w ago

  • Security

    Minimus Launches Tools to Secure Your Software Supply Chain

    Security firm Minimus released two new tools to help teams manage software supply chain risks and container security together. The products aim to simplify protecting applications from third-party code vulnerabilities and misconfigurations.

    Neeraj Dhiman · 2w ago

  • Tech

    AI Demand Spikes DDR5 Prices

    The price for 32GB of DDR5 RAM has surged to a minimum of $375, a significant increase from previous levels. This price hike is driven by massive demand from the AI industry, which is consuming memory supply and impacting the PC building market for consumers and businesses.

    Taranpreet Singh · 2w ago

  • Security

    Security Recap: Linux, Defender, Supply Chains

    This week's security landscape saw the discovery of new Linux vulnerabilities and a zero-day flaw in Microsoft Defender. The incidents highlight ongoing risks from unpatched systems and complex supply chains. Additionally, old bugs resurfaced, and phishing attacks have become more targeted, posing a continued threat.

    Neeraj Dhiman · 2w ago

  • Security

    US Blacklists Top Chinese Tech Firms Over Military Links

    The Pentagon has added Alibaba, Baidu, and other major Chinese tech companies to a list of firms allegedly supporting China's military. This move bars them from U.S. defense contracts and raises supply chain security concerns.

    Neeraj Dhiman · 2w ago

  • Tech

    New Process Could Unlock Lithium Supply

    Researchers have developed a new, more environmentally friendly, and potentially cheaper method for extracting lithium, a critical component for batteries. The process, detailed in the journal Science, is being commercialized by a startup named Rock Zero, aiming to address future supply chain challenges for EVs and energy storage.

    Taranpreet Singh · 2w ago

  • Security

    Malware Campaign Targets Developer Tools

    A new malware campaign named TrapDoor is targeting developers across npm, PyPI, and Crates.io. Researchers found over 34 malicious packages designed to compromise developer workstations and workflows, specifically targeting credentials and files related to AI coding assistants, highlighting ongoing software supply chain risks.

    Neeraj Dhiman · 2w ago

  • Security

    GitHub Is Making npm Installs Safer By Default

    GitHub is rolling out security updates for npm, the popular JavaScript package manager. The changes will block malicious scripts from running automatically during installation, helping to protect developers and their projects from common supply-chain attacks.

    Neeraj Dhiman · 2w ago

  • Security

    Major Developer Malware Network Disrupted

    CrowdStrike, Google, and the Shadowserver Foundation have successfully disrupted the GlassWorm malware campaign. This operation dismantled the command-and-control infrastructure used in a persistent software supply chain attack that targeted developers with malicious packages and extensions since at least early 2025.

    Neeraj Dhiman · 2w ago

  • Security

    npm Secures Packages with 2FA

    GitHub has enhanced npm security with a new "staged publishing" feature. It requires maintainers to approve new package versions using two-factor authentication (2FA) before they are publicly available. This measure aims to prevent malicious package publications and strengthen the software supply chain against attacks.

    Neeraj Dhiman · 2w ago

  • Security

    Critical security flaws in NLTK library

    Multiple high-severity vulnerabilities have been discovered in NLTK, a popular Python library for natural language processing. The flaws could allow for remote code execution and arbitrary file writes, posing a significant supply chain security risk for applications using the library. Developers should update immediately.

    Neeraj Dhiman · 2w ago

  • Security

    Laravel Packages Compromised With Malware

    Several popular Laravel-Lang PHP packages were compromised in a software supply chain attack. Malicious code was injected to deliver a credential-stealing malware, posing a significant risk to applications using these packages and potentially exposing sensitive login information.

    Neeraj Dhiman · 2w ago

  • Security

    Malicious npm packages steal cloud secrets

    Microsoft has uncovered a software supply chain attack using typosquatted npm packages to steal cloud and CI/CD credentials. The attack uses npm lifecycle hooks for execution and abuses the legitimate Bun runtime as a loader to deploy credential-stealing malware, targeting developers and their environments.

    Neeraj Dhiman · 2w ago

  • Security

    Malware Hits npm, PyPI, Crates.io

    A coordinated supply chain attack named TrapDoor has been discovered across npm, PyPI, and Crates.io. The campaign used over 34 malicious packages to distribute credential-stealing malware, highlighting ongoing risks in open-source registries and the developers who rely on them.

    Neeraj Dhiman · 2w ago

  • Security

    Malicious npm packages target developers

    Microsoft has identified an active supply chain attack on the npm ecosystem. Attackers are publishing malicious packages that mimic internal corporate libraries. Using a technique called dependency confusion, these packages are designed to infiltrate and gather information from developer environments, posing a significant risk to organizations.

    Neeraj Dhiman · 2w ago

  • Data

    Build Digital Twins with BigQuery Graph

    Google Cloud published a guide on using its BigQuery Graph feature to create digital twins of complex systems, like a food supply chain. The approach helps businesses model and analyze relationships within their operations, moving beyond the limitations of traditional spreadsheets to manage growth and complexity effectively.

    Taranpreet Singh · Jun 2, 2026

  • Security

    Typosquatting is a supply chain threat

    Typosquatting has evolved from a user-focused issue to a software supply chain threat. Attackers are now embedding malicious lookalike domains, sometimes generated by AI, directly into legitimate third-party scripts. This makes them difficult for standard security tools to detect, exposing web properties to new risks.

    Neeraj Dhiman · May 21, 2026

  • Security

    Supply Chain Attacks Target Developer Secrets

    Attackers are expanding software supply chain attacks to target developer workstations and CI/CD pipelines directly. Recent campaigns on npm, PyPI, and Docker Hub aimed to steal secrets like API keys, cloud credentials, and tokens, shifting the focus from injecting malicious code to stealing developer access.

    Neeraj Dhiman · May 21, 2026

  • Security

    Grafana GitHub Breach Exposes Source Code

    Grafana Labs confirmed a security breach limited to its GitHub environment, exposing public and private source code. The company stated that its investigation found no evidence of customer production systems being compromised. The incident was linked to a supply chain attack involving a TanStack npm package.

    Neeraj Dhiman · May 21, 2026

  • Security

    Malicious Code Found In AntV Packages

    Microsoft has uncovered a supply chain attack targeting the @antv npm ecosystem. Attackers compromised a maintainer's account to publish malicious versions of data-visualization packages. The code aims to steal credentials from CI/CD pipelines and affects widely used libraries like echarts-for-react.

    Neeraj Dhiman · May 21, 2026

  • Security

    GitHub Breach Linked To TanStack Attack

    GitHub has confirmed that a recent breach of 3,800 internal repositories was caused by a malicious VS Code extension. The extension was compromised in a wider supply-chain attack targeting the popular TanStack npm packages, highlighting the growing risks of software dependencies.

    Neeraj Dhiman · May 21, 2026

  • Security

    GitHub Internal Repositories Were Breached

    GitHub has disclosed a security breach where an attacker gained unauthorized access to its internal repositories. The compromise originated from a malicious third-party VS Code extension on an employee's device. While thousands of internal repos were exfiltrated, GitHub reports no evidence of impact on customer data.

    Neeraj Dhiman · May 21, 2026

Frequently asked questions

What is SLSA?

Supply-chain Levels for Software Artifacts — a framework that scores how trustworthy a build pipeline is. Level 1 produces provenance metadata; Level 4 means the build is hermetic, reproducible, and signed by a trusted builder. Most projects target Level 2 or 3.

Is a SBOM enough?

No. A SBOM tells you what's inside an artifact, but only matters if you can act on it: subscribe to CVE feeds against the SBOM, enforce policy on which components are allowed, and trace a specific CVE to specific running workloads in minutes. A SBOM in a drawer is decorative.

How did the XZ backdoor change supply-chain practice?

It demonstrated that a single trusted maintainer could compromise a foundational library after years of legitimate contributions. The response has been more aggressive review of maintainer identity, build reproducibility checks, and a hard look at the long tail of barely-staffed but widely-depended-on projects.

✦ Notifire newsletter

Follow Software supply-chain security

We track Software supply-chain security as the news cycle moves. Get the briefings that matter in your inbox — free, no spam.

The day's most important tech briefings. No spam, unsubscribe anytime.

Related topics

  • Kubernetes security

Tech intelligence for engineering teams

Short, verified briefings on AI, cybersecurity, infrastructure, and data — with the analysis and action steps that matter. Every briefing is sourced, fact-checked, and bylined to a named editor.

[email protected]Story tips & corrections welcomeHow we report →

The Notifire briefing

Verified tech intelligence in your inbox — AI, security, infra, and data.

The day's most important tech briefings. No spam, unsubscribe anytime.

Sections

  • AI
  • Cybersecurity
  • Infrastructure
  • Database
  • Tech Updates
  • Web3 & Chains

Newsroom

  • About Notifire
  • Editorial team
  • Editorial standards
  • Methodology
  • AI disclosure
  • Corrections

Resources

  • Explore
  • Research hubs
  • Comparisons
  • Tech glossary
  • FAQ
  • Alerts & watchlists

Follow

  • RSS feed
  • Atom feed
  • LinkedIn
  • X / Twitter
  • Facebook
  • Instagram
  • YouTube
© 2026 NotifirePrivacyTermsCorrections
An independent, AI-assisted publication. Built at </Alpheric>
IntelligenceLive panel
Live

Top trending

Last 24h

    Popular tags

    Add to watchlist

    +OpenAI+Claude+PostgreSQL+Kubernetes+Cloudflare+AWS+CVE Critical

    Notifire score

    0–100 priority signal — combines impact, freshness, trending velocity, and source credibility.

    FeedExploreAskAlertsSavedProfile