AllAICybersecurityInfrastructureDatabaseTech Updates
Sign in

About

  • About the Blog
  • Meet the Team
  • Guidelines
  • Our Story
  • Press Inquiries
  • Contact Us
  • Privacy Policy

Company

  • Company News
  • Our Mission
  • Join Our Team
  • Our Partners
  • Media Kit
  • Legal Info
  • Careers

Support

  • Help Center
  • FAQs
  • Submit a Ticket
  • Reader's Guide
  • Advertising
  • Report an Issue
  • Technical Support

Resources

  • Blog Archives
  • Popular Posts
  • Newsletter Signup
  • Research Reports
  • Podcast Episodes
  • E-books & Guides
  • Case Studies

Subscribe for the Latest Updates Delivered Straight to Your Inbox

By pressing the Sign up button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Follow Us

2026 Notifire. All rights reserved

AboutContactFAQ
FeedExploreAlertsSavedProfile

Categories

AICybersecurityInfrastructureDatabaseTech Updates

Tech news that matters.

\u2190 All research

Cybersecurity

Software supply-chain security

How modern attacks move through dependencies, build systems, and image registries — and the defences (SLSA, sigstore, SBOMs) that block them.

Software supply-chain attacks compromise the trust chain between an open-source maintainer's laptop and your production workload. The notorious examples — SolarWinds, Log4j, the XZ backdoor — each exploited a different link in that chain.

Notifire tracks the practical defences engineering teams are deploying: SLSA provenance attestations, sigstore/cosign image signatures, deps.dev for transitive-dependency scoring, and admission controllers that refuse unsigned artifacts.

Tech intelligence

Tech news that matters.

FeedExploreAlertsSavedProfile

Latest briefings on Software supply-chain security

  • Security

    Four Malicious npm Packages Discovered

    Cybersecurity researchers have identified four malicious packages on the npm registry: `chalk-tempalte`, `@deadcode09284814/axios-util`, `axois-utils`, and `color-style-utils`. These packages were designed to steal information from developer systems and have been downloaded thousands of times.

    Neeraj Dhiman ·

  • Data

    Build Digital Twins with BigQuery Graph

    Google Cloud published a guide on using its BigQuery Graph feature to create digital twins of complex systems, like a food supply chain. The approach helps businesses model and analyze relationships within their operations, moving beyond the limitations of traditional spreadsheets to manage growth and complexity effectively.

    Taranpreet Singh · 4h ago

  • Security

    Typosquatting is a supply chain threat

    Typosquatting has evolved from a user-focused issue to a software supply chain threat. Attackers are now embedding malicious lookalike domains, sometimes generated by AI, directly into legitimate third-party scripts. This makes them difficult for standard security tools to detect, exposing web properties to new risks.

    Neeraj Dhiman · 1w ago

  • Security

    Supply Chain Attacks Target Developer Secrets

    Attackers are expanding software supply chain attacks to target developer workstations and CI/CD pipelines directly. Recent campaigns on npm, PyPI, and Docker Hub aimed to steal secrets like API keys, cloud credentials, and tokens, shifting the focus from injecting malicious code to stealing developer access.

    Neeraj Dhiman · 1w ago

  • Security

    Malicious Code Found In AntV Packages

    Microsoft has uncovered a supply chain attack targeting the @antv npm ecosystem. Attackers compromised a maintainer's account to publish malicious versions of data-visualization packages. The code aims to steal credentials from CI/CD pipelines and affects widely used libraries like echarts-for-react.

    Neeraj Dhiman · 1w ago

  • Security

    Grafana GitHub Breach Exposes Source Code

    Grafana Labs confirmed a security breach limited to its GitHub environment, exposing public and private source code. The company stated that its investigation found no evidence of customer production systems being compromised. The incident was linked to a supply chain attack involving a TanStack npm package.

    Neeraj Dhiman · 1w ago

  • Security

    GitHub Breach Linked To TanStack Attack

    GitHub has confirmed that a recent breach of 3,800 internal repositories was caused by a malicious VS Code extension. The extension was compromised in a wider supply-chain attack targeting the popular TanStack npm packages, highlighting the growing risks of software dependencies.

    Neeraj Dhiman · 1w ago

  • Security

    GitHub Internal Repositories Were Breached

    GitHub has disclosed a security breach where an attacker gained unauthorized access to its internal repositories. The compromise originated from a malicious third-party VS Code extension on an employee's device. While thousands of internal repos were exfiltrated, GitHub reports no evidence of impact on customer data.

    Neeraj Dhiman · 1w ago

Frequently asked questions

What is SLSA?

Supply-chain Levels for Software Artifacts — a framework that scores how trustworthy a build pipeline is. Level 1 produces provenance metadata; Level 4 means the build is hermetic, reproducible, and signed by a trusted builder. Most projects target Level 2 or 3.

Is a SBOM enough?

No. A SBOM tells you what's inside an artifact, but only matters if you can act on it: subscribe to CVE feeds against the SBOM, enforce policy on which components are allowed, and trace a specific CVE to specific running workloads in minutes. A SBOM in a drawer is decorative.

How did the XZ backdoor change supply-chain practice?

It demonstrated that a single trusted maintainer could compromise a foundational library after years of legitimate contributions. The response has been more aggressive review of maintainer identity, build reproducibility checks, and a hard look at the long tail of barely-staffed but widely-depended-on projects.

Related topics

  • Kubernetes security
IntelligenceLive panel
Live

Top trending

Last 24h

    Popular tags

    Add to watchlist

    +OpenAI+Claude+PostgreSQL+Kubernetes+Cloudflare+AWS+CVE Critical

    Notifire score

    0–100 priority signal — combines impact, freshness, trending velocity, and source credibility.

    Product

    • Feed
    • Explore
    • Alerts
    • Saved

    Categories

    • AI
    • Cybersecurity
    • Infrastructure
    • Database
    • Tech Updates

    About

    • About
    • FAQ
    • Editorial standards
    • AI disclosure
    • Corrections
    • Methodology
    • Research
    • Comparisons

    Legal

    • Privacy
    • Terms
    © 2026 NotifireBuilt at </Alpheric>