InfoSec - Supply chain attacks

Counte-rmeasures

https://obsidian.md/blog/less-is-safer/

• choosing fewer dependencies
• shallow graphs
• exact version pins
• no postinstall
• a slow, review-heavy upgrade cadence

Examples

https://newsletter.cybersecurityhq.com/p/configuration-is-destiny-the-devops-missteps-driving-modern-breaches

https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

• xzutils example
• other attempts
• ways to defend your project

https://luj.fr/blog/how-nixos-could-have-detected-xz.html

• xz example and how it affected Nixpkgs bootstrap
• countermeasures

Attempted attacks

https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/

• attack tp steal GitHub access tokens
• target: PyPI
• replace long-lived tokens with Trusted Publisher’s short-lived ones

Package repository security

https://repos.openssf.org/principles-for-package-repository-security.html

Tools

https://guac.sh/why-guac/

Examples

Go - Typosquatting + persistent module cache

https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence