Skip to main content

Supply Chain

Browse all articles, tutorials, and guides about Supply Chain

7posts

Posts

CI/CD
|11 min read

The pwn request just got harder: what actions/checkout v7 changes, and what it does not

GitHub is backporting a fork-checkout block to actions/checkout, with enforcement on July 20, 2026. Here is what a pwn request actually is, what the change stops, and the three ways your pipeline is still exposed after you upgrade.

DevOps
|10 min read

Shai-Hulud Reaches PyPI: The Hades Wave That Runs Before You Import It

The Shai-Hulud worm jumped to PyPI on June 7. The Hades wave hides in 19 Python packages, runs at interpreter startup through a .pth hook before you import anything, and steals your CI/CD secrets.

DevOps
|10 min read

When the Malicious Hook Is in the Other Manifest: 700+ Repos, 8 Packagist Packages, One package.json Trick

On May 22, 2026, Socket disclosed a Composer supply chain attack that hid an npm-style postinstall command inside package.json on PHP projects. composer.json was clean, the PHP review missed it, and 700+ GitHub repos pulled it in. Here is the exact payload, why ecosystem-boundary blindness keeps catching teams, and how to wire your CI to look at both manifests.

DevOps
|11 min read

node-ipc DNS-Tunneling Supply Chain Attack: Your Egress Firewall Probably Missed This

On May 14, 2026, three malicious versions of the node-ipc npm package shipped a payload that hunts AWS, SSH, kubeconfig, and GitHub CLI credentials, then smuggles them out through DNS TXT queries. Most orgs filter HTTPS egress. Almost nobody filters DNS. Here is what the payload does and how to close the gap.

DevOps
|9 min read

AntV npm Compromise: The Shai-Hulud Worm Comes for Your Dashboards (May 19, 2026)

A new Shai-Hulud wave landed at 01:56 UTC on May 19 and rode the @antv maintainer account through 323 packages including echarts-for-react. Here is what got published, what it steals, and the lockfile grep that tells you if you are exposed.

DevOps
|11 min read

TanStack npm Worm: The Supply-Chain Attack With a Dead-Man's Switch

On May 11, 2026, attackers republished 14+ official TanStack packages on npm with a worm that signs itself with valid SLSA provenance and arms a dead-man's switch that wipes your home directory the moment you revoke the stolen GitHub token. Here is what happened, how the payload works, and how to check your machine.

Security
|11 min read

Software Supply Chain Security: SBOMs, Sigstore, and SLSA in Practice

Protect your software supply chain with practical steps for SBOM generation, artifact signing with Cosign, and SLSA provenance. Includes complete CI/CD pipeline examples for GitHub Actions and GitLab CI.