Cybersecurity
Software supply-chain security
How modern attacks move through dependencies, build systems, and image registries — and the defences (SLSA, sigstore, SBOMs) that block them.
Software supply-chain attacks compromise the trust chain between an open-source maintainer's laptop and your production workload. The notorious examples — SolarWinds, Log4j, the XZ backdoor — each exploited a different link in that chain.
Notifire tracks the practical defences engineering teams are deploying: SLSA provenance attestations, sigstore/cosign image signatures, deps.dev for transitive-dependency scoring, and admission controllers that refuse unsigned artifacts.
Latest briefings on Software supply-chain security
Security
Four Malicious npm Packages Discovered
Cybersecurity researchers have identified four malicious packages on the npm registry: `chalk-tempalte`, `@deadcode09284814/axios-util`, `axois-utils`, and `color-style-utils`. These packages were designed to steal information from developer systems and have been downloaded thousands of times.
Neeraj Dhiman ·
Tech
The Future of Package Tracking Is a Smart Sticker
Samsara has launched a smart, single-use Bluetooth adhesive label for packages. The Samsara Tracking Label provides near-real-time visibility into a shipment's location, making it easier than ever to track deliveries from dispatch to destination.
Taranpreet Singh ·
Security
Secure JavaScript projects with one command
DepsGuard is a new open-source tool that simplifies securing JavaScript projects. It applies recommended security settings, like package cooldowns and disabling install scripts, across multiple package managers (npm, pnpm, yarn, bun, uv) with a single command, addressing common supply chain vulnerabilities.
Neeraj Dhiman ·
Tech
Extreme Heat Is a Growing Economic Threat
Extreme heat is no longer just a climate issue; it's a growing economic problem. Rising temperatures are reducing worker productivity, slowing supply chains, and threatening economic growth in countries like India.
Navdeep Kaur Mahal ·
Security
Recent Flaws Highlight Systemic Risks
A series of high-impact security incidents, including a mail server zero-day, poisoned npm packages, and a fake AI repository, highlight a dangerous trend. Attackers are exploiting single points of failure in software supply chains and cloud infrastructure to launch widespread, cascading attacks.
Neeraj Dhiman ·
Security
Minimus Launches Tools to Secure Your Software Supply Chain
Security firm Minimus released two new tools to help teams manage software supply chain risks and container security together. The products aim to simplify protecting applications from third-party code vulnerabilities and misconfigurations.
Neeraj Dhiman ·
Tech
AI Demand Spikes DDR5 Prices
The price for 32GB of DDR5 RAM has surged to a minimum of $375, a significant increase from previous levels. This price hike is driven by massive demand from the AI industry, which is consuming memory supply and impacting the PC building market for consumers and businesses.
Taranpreet Singh ·
Security
Security Recap: Linux, Defender, Supply Chains
This week's security landscape saw the discovery of new Linux vulnerabilities and a zero-day flaw in Microsoft Defender. The incidents highlight ongoing risks from unpatched systems and complex supply chains. Additionally, old bugs resurfaced, and phishing attacks have become more targeted, posing a continued threat.
Neeraj Dhiman ·
Security
US Blacklists Top Chinese Tech Firms Over Military Links
The Pentagon has added Alibaba, Baidu, and other major Chinese tech companies to a list of firms allegedly supporting China's military. This move bars them from U.S. defense contracts and raises supply chain security concerns.
Neeraj Dhiman ·
Tech
New Process Could Unlock Lithium Supply
Researchers have developed a new, more environmentally friendly, and potentially cheaper method for extracting lithium, a critical component for batteries. The process, detailed in the journal Science, is being commercialized by a startup named Rock Zero, aiming to address future supply chain challenges for EVs and energy storage.
Taranpreet Singh ·
Security
Malware Campaign Targets Developer Tools
A new malware campaign named TrapDoor is targeting developers across npm, PyPI, and Crates.io. Researchers found over 34 malicious packages designed to compromise developer workstations and workflows, specifically targeting credentials and files related to AI coding assistants, highlighting ongoing software supply chain risks.
Neeraj Dhiman ·
Security
GitHub Is Making npm Installs Safer By Default
GitHub is rolling out security updates for npm, the popular JavaScript package manager. The changes will block malicious scripts from running automatically during installation, helping to protect developers and their projects from common supply-chain attacks.
Neeraj Dhiman ·
Security
Major Developer Malware Network Disrupted
CrowdStrike, Google, and the Shadowserver Foundation have successfully disrupted the GlassWorm malware campaign. This operation dismantled the command-and-control infrastructure used in a persistent software supply chain attack that targeted developers with malicious packages and extensions since at least early 2025.
Neeraj Dhiman ·
Security
npm Secures Packages with 2FA
GitHub has enhanced npm security with a new "staged publishing" feature. It requires maintainers to approve new package versions using two-factor authentication (2FA) before they are publicly available. This measure aims to prevent malicious package publications and strengthen the software supply chain against attacks.
Neeraj Dhiman ·
Security
Critical security flaws in NLTK library
Multiple high-severity vulnerabilities have been discovered in NLTK, a popular Python library for natural language processing. The flaws could allow for remote code execution and arbitrary file writes, posing a significant supply chain security risk for applications using the library. Developers should update immediately.
Neeraj Dhiman ·
Security
Laravel Packages Compromised With Malware
Several popular Laravel-Lang PHP packages were compromised in a software supply chain attack. Malicious code was injected to deliver a credential-stealing malware, posing a significant risk to applications using these packages and potentially exposing sensitive login information.
Neeraj Dhiman ·
Security
Malicious npm packages steal cloud secrets
Microsoft has uncovered a software supply chain attack using typosquatted npm packages to steal cloud and CI/CD credentials. The attack uses npm lifecycle hooks for execution and abuses the legitimate Bun runtime as a loader to deploy credential-stealing malware, targeting developers and their environments.
Neeraj Dhiman ·
Security
Malware Hits npm, PyPI, Crates.io
A coordinated supply chain attack named TrapDoor has been discovered across npm, PyPI, and Crates.io. The campaign used over 34 malicious packages to distribute credential-stealing malware, highlighting ongoing risks in open-source registries and the developers who rely on them.
Neeraj Dhiman ·
Security
Malicious npm packages target developers
Microsoft has identified an active supply chain attack on the npm ecosystem. Attackers are publishing malicious packages that mimic internal corporate libraries. Using a technique called dependency confusion, these packages are designed to infiltrate and gather information from developer environments, posing a significant risk to organizations.
Neeraj Dhiman ·
Data
Build Digital Twins with BigQuery Graph
Google Cloud published a guide on using its BigQuery Graph feature to create digital twins of complex systems, like a food supply chain. The approach helps businesses model and analyze relationships within their operations, moving beyond the limitations of traditional spreadsheets to manage growth and complexity effectively.
Taranpreet Singh ·
Security
Typosquatting is a supply chain threat
Typosquatting has evolved from a user-focused issue to a software supply chain threat. Attackers are now embedding malicious lookalike domains, sometimes generated by AI, directly into legitimate third-party scripts. This makes them difficult for standard security tools to detect, exposing web properties to new risks.
Neeraj Dhiman ·
Security
Supply Chain Attacks Target Developer Secrets
Attackers are expanding software supply chain attacks to target developer workstations and CI/CD pipelines directly. Recent campaigns on npm, PyPI, and Docker Hub aimed to steal secrets like API keys, cloud credentials, and tokens, shifting the focus from injecting malicious code to stealing developer access.
Neeraj Dhiman ·
Security
Grafana GitHub Breach Exposes Source Code
Grafana Labs confirmed a security breach limited to its GitHub environment, exposing public and private source code. The company stated that its investigation found no evidence of customer production systems being compromised. The incident was linked to a supply chain attack involving a TanStack npm package.
Neeraj Dhiman ·
Security
Malicious Code Found In AntV Packages
Microsoft has uncovered a supply chain attack targeting the @antv npm ecosystem. Attackers compromised a maintainer's account to publish malicious versions of data-visualization packages. The code aims to steal credentials from CI/CD pipelines and affects widely used libraries like echarts-for-react.
Neeraj Dhiman ·
Security
GitHub Breach Linked To TanStack Attack
GitHub has confirmed that a recent breach of 3,800 internal repositories was caused by a malicious VS Code extension. The extension was compromised in a wider supply-chain attack targeting the popular TanStack npm packages, highlighting the growing risks of software dependencies.
Neeraj Dhiman ·
Security
GitHub Internal Repositories Were Breached
GitHub has disclosed a security breach where an attacker gained unauthorized access to its internal repositories. The compromise originated from a malicious third-party VS Code extension on an employee's device. While thousands of internal repos were exfiltrated, GitHub reports no evidence of impact on customer data.
Neeraj Dhiman ·
Frequently asked questions
What is SLSA?
Supply-chain Levels for Software Artifacts — a framework that scores how trustworthy a build pipeline is. Level 1 produces provenance metadata; Level 4 means the build is hermetic, reproducible, and signed by a trusted builder. Most projects target Level 2 or 3.
Is a SBOM enough?
No. A SBOM tells you what's inside an artifact, but only matters if you can act on it: subscribe to CVE feeds against the SBOM, enforce policy on which components are allowed, and trace a specific CVE to specific running workloads in minutes. A SBOM in a drawer is decorative.
How did the XZ backdoor change supply-chain practice?
It demonstrated that a single trusted maintainer could compromise a foundational library after years of legitimate contributions. The response has been more aggressive review of maintainer identity, build reproducibility checks, and a hard look at the long tail of barely-staffed but widely-depended-on projects.