6 verified briefings on Supply Chain Attack. Each story includes a plain-English summary, why it matters, and the concrete action engineering teams should take.
A developer of the open-source Java testing library `jqwik` intentionally added hidden instructions to sabotage projects built by AI coding agents. This real-world prompt injection attack highlights a new vulnerability in the software supply chain, affecting developers who rely on AI for coding assistance.
A popular GitHub Actions workflow, `actions-cool/issues-helper`, has been compromised in a supply chain attack. Attackers altered repository tags to point to malicious code designed to steal sensitive credentials from CI/CD environments and send them to an external server.
A software supply chain attack has compromised several popular npm packages within the @antv ecosystem. Attackers gained control of a maintainer's account to distribute malicious code. The affected packages include `echarts-for-react`, a library with over one million weekly downloads, posing a significant risk.
The npm registry has experienced another malware attack, this time affecting the AntV data visualization tool. The incident occurred after an attacker compromised the credentials of a maintainer for the popular `timeago.js` library, highlighting ongoing risks in the open-source software supply chain.
A compromised version of the popular Nx Console extension (v18.95.0) was published on the VS Code Marketplace. The malicious version, installed by developers, contained a credential stealer. The extension, with over 2.2 million installations, poses a significant risk to affected users and their organizations.
A recently leaked malware kit named "Shai-Hulud" is now being used in a new campaign targeting the npm registry. Attackers are publishing infected packages to steal sensitive information from developers' systems, including credentials and cryptocurrency wallets. This highlights the ongoing risk of software supply chain attacks.