Tag.index
Posts tagged Supply Chain.
Posts
/ Software
The recent Packagist and Composer security update matters because it moves the PHP ecosystem away from best-effort trust and toward stronger release controls, malware filtering, and immutable versions.
/ Software
TrapDoor stood out because it was not tied to one package registry. It spread across npm, PyPI, and crates.io while targeting crypto developers, AI tooling, and developer workstations.
/ Software
The Laravel-Lang compromise showed how dangerous mutable tags and Composer autoload execution can become when attackers gain push access to a package namespace.
/ Software
Megalodon showed that software supply chain attacks do not need a poisoned package when attackers can backdoor CI workflows across thousands of repositories instead.
/ Software
The AntV wave showed how Mini Shai-Hulud evolved from a high-profile compromise into a mass npm credential-harvesting campaign across hundreds of packages.
/ Software
The poisoned Nx Console release and the resulting GitHub employee-device compromise showed how a developer extension can become a platform-level supply chain problem.
/ Software
The Shai Hulud campaign showed how quickly modern package ecosystems can turn a compromised maintainer or CI path into broad install-time credential theft.
/ Software
The LiteLLM and Telnyx incidents showed how stolen publishing credentials can turn trusted PyPI packages into fast-moving credential harvesters.