Supply Chain
Browse all articles, tutorials, and guides about Supply Chain
Posts
AntV npm Compromise: The Shai-Hulud Worm Comes for Your Dashboards (May 19, 2026)
A new Shai-Hulud wave landed at 01:56 UTC on May 19 and rode the @antv maintainer account through 323 packages including echarts-for-react. Here is what got published, what it steals, and the lockfile grep that tells you if you are exposed.
TanStack npm Worm: The Supply-Chain Attack With a Dead-Man's Switch
On May 11, 2026, attackers republished 14+ official TanStack packages on npm with a worm that signs itself with valid SLSA provenance and arms a dead-man's switch that wipes your home directory the moment you revoke the stolen GitHub token. Here is what happened, how the payload works, and how to check your machine.
Software Supply Chain Security: SBOMs, Sigstore, and SLSA in Practice
Protect your software supply chain with practical steps for SBOM generation, artifact signing with Cosign, and SLSA provenance. Includes complete CI/CD pipeline examples for GitHub Actions and GitLab CI.