Supply Chain Security

A Dune-themed malware campaign targeting the PyTorch Lightning library highlights how AI/ML supply chains are becoming prime targets for sophisticated attacks.

Nearly two years after the xz Utils backdoor shocked the open source world, the supply chain security landscape has changed — but not enough.

Supply chain security frameworks like SLSA and SBOM requirements are moving from recommendations to mandates. Here’s what developers need to know about the shifting landscape.

A supply chain attack on the popular Ultralytics YOLO package highlights the persistent vulnerability of the Python ecosystem’s distribution pipeline.

Another wave of malicious npm packages reminds us that JavaScript’s dependency ecosystem remains one of software’s biggest security challenges.

New US tariffs on technology imports are sending ripples through hardware supply chains, cloud pricing, and software infrastructure planning.

A compromised GitHub Action exposed secrets from thousands of repositories, highlighting how CI/CD pipelines have become prime targets for supply chain attacks.

The polyfill.io domain was acquired by a Chinese company and began injecting malware into over 100,000 websites, exposing fundamental weaknesses in how we trust third-party CDN dependencies.

A sophisticated supply chain attack via the xz Utils compression library was caught just days before reaching stable Linux distributions.

The MOVEit Transfer vulnerability has now impacted hundreds of organizations worldwide — a stark reminder that managed file transfer tools remain critical and under-secured attack surfaces.

A critical zero-day in Progress MOVEit Transfer is being actively exploited, and the scope of the damage is still emerging.

A year after Log4Shell shook the software industry, we examine what’s improved in supply chain security — and what still keeps us up at night.