Supply Chain Security

CircleCI discloses a security incident and urges all customers to immediately rotate secrets stored in the platform. A reminder of the risks in our CI/CD supply chain.

A year after Log4Shell shook the software industry, we examine what’s improved in supply chain security — and what still keeps us up at night.

A popular npm package was deliberately sabotaged by its own maintainer, raising urgent questions about supply chain trust in open source.

The White House convened tech leaders to address open source security after Log4Shell. Here’s what was discussed and what it means for developers.

A week after Log4Shell, the patching chaos continues. But the bigger lesson is about software supply chain security and why we need SBOMs now.

A critical remote code execution vulnerability in Apache Log4j has sent the entire industry scrambling. Here’s what you need to know and do right now.

Popular npm packages coa and rc were hijacked to distribute malware, impacting thousands of projects and raising urgent questions about supply chain security.

The popular ua-parser-js npm package was hijacked to deliver cryptominers and credential stealers, affecting millions of weekly downloads.

The REvil ransomware group exploited Kaseya’s VSA platform to hit over 1,500 businesses simultaneously. This is what supply chain attacks look like at scale.

Codecov’s compromised Bash Uploader script exposed CI/CD secrets for thousands of organizations, highlighting a systemic weakness in how we trust third-party tools in our build pipelines.

Attackers pushed malicious commits to PHP’s official Git repository, exposing the fragile trust model behind open-source supply chains.

Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited at scale, and the fallout is only beginning.