tag: supply-chain
2026-03-23
2026-03-24
Supply Chain Attack in litellm 1.82.8 on PyPI
Analysis of a compromised litellm PyPI release that executed via a malicious .pth file, attempted credential exfiltration and Kubernetes persistence, and prompted urgent incident-response guidance.2026-03-25
La Sentinella nella supply chain
Descrive SENT, un sistema di rilevamento in tempo reale per la supply chain dei package (PyPI, npm, WordPress) basato su grafo a cascata, diff-first AST analysis e detonazione dinamica per intercettare aggiornamenti malevoli stealth.SENT — Supply-chain Event Network Triage
Real-time supply-chain monitoring for package ecosystems. SENT prioritizes high-impact releases using a cascade-weighted dependency graph, performs diff-first AST behavioral analysis and argument-level "call_diff" detection, and supports optional dynamic detonation to confirm suspicious updates.2026-03-31
CRITICAL: Active supply-chain attack on axios
Alert based on a thread reporting an active supply‑chain compromise of axios (npm). The latest axios@1.14.1 pulls a newly published dependency `plain-crypto-js@4.2.1` that appears to be obfuscated installer/malware; recommendation: pin your axios version, audit lockfiles, and avoid upgrading until verified.2026-04-01
Cisco source code stolen in Trivy-linked dev environment breach
Reports indicate threat actors leveraged credentials stolen via the Trivy supply‑chain compromise to breach Cisco development environments, clone hundreds of repositories and exfiltrate source code and AWS keys. Incident is being linked to TeamPCP and related supply‑chain attacks.2026-04-10
HWInfo and CPU-Z both compromised
VX-Underground flags a supply-chain compromise affecting HWInfo and CPU-Z, with trojanized installers, file masquerading, multi-stage in-memory payloads, and C2 infrastructure tied to the campaign.Fully Countering Trusting Trust through Diverse Double-Compiling
David A. Wheeler’s long-form essay on the trusting trust attack, diverse double-compiling, reproducible builds, and broader software and hardware supply-chain verification.2026-04-30
Open source package with 1 million monthly downloads stole user credentials
The elementary-data Python package (v0.23.3) was compromised via a GitHub Actions vulnerability, stealing credentials including API tokens, SSH keys, and cloud provider keys.2026-05-12
Postmortem: TanStack npm supply-chain compromise
Comprehensive incident postmortem on the June 11, 2026 compromise of @tanstack/* packages. Attack used pull_request_target pattern, GitHub Actions cache poisoning, and OIDC token extraction. 84 malicious versions, 2.3MB obfuscated router_init.js, self-propagating malware, credential harvesting from AWS/GCP/K8s/Vault/GitHub/SSH2026-05-28
Bambu Lab non solo viola la licenza AGPL ma minaccia chi sviluppa fork del suo software
Miami Mamma USa Linux reports that Bambu Lab not only violates the AGPL license but is also threatening developers who create forks of their software.2026-06-04