https://www.osmondvanhemert.nl/tags/supply-chain-security/Recent content in Supply Chain Security on Osmond van HemertHugo -- gohugo.ioen© Osmond van Hemert. All rights reserved.Thu, 30 Apr 2026 00:00:00 +0000https://www.osmondvanhemert.nl/posts/260430-pytorch-lightning-supply-chain-malware/Thu, 30 Apr 2026 00:00:00 +0000https://www.osmondvanhemert.nl/posts/260430-pytorch-lightning-supply-chain-malware/A Dune-themed malware campaign targeting the PyTorch Lightning library highlights how AI/ML supply chains are becoming prime targets for sophisticated attacks.https://www.osmondvanhemert.nl/posts/260409-xz-utils-supply-chain-anniversary/Thu, 09 Apr 2026 00:00:00 +0000https://www.osmondvanhemert.nl/posts/260409-xz-utils-supply-chain-anniversary/Nearly two years after the xz Utils backdoor shocked the open source world, the supply chain security landscape has changed — but not enough.https://www.osmondvanhemert.nl/posts/260312-supply-chain-security-slsa-adoption/Thu, 12 Mar 2026 00:00:00 +0000https://www.osmondvanhemert.nl/posts/260312-supply-chain-security-slsa-adoption/Supply chain security frameworks like SLSA and SBOM requirements are moving from recommendations to mandates. Here’s what developers need to know about the shifting landscape.https://www.osmondvanhemert.nl/posts/251218-ultralytics-supply-chain-attack/Thu, 18 Dec 2025 00:00:00 +0000https://www.osmondvanhemert.nl/posts/251218-ultralytics-supply-chain-attack/A supply chain attack on the popular Ultralytics YOLO package highlights the persistent vulnerability of the Python ecosystem’s distribution pipeline.https://www.osmondvanhemert.nl/posts/250605-npm-supply-chain-security-lessons/Thu, 05 Jun 2025 00:00:00 +0000https://www.osmondvanhemert.nl/posts/250605-npm-supply-chain-security-lessons/Another wave of malicious npm packages reminds us that JavaScript’s dependency ecosystem remains one of software’s biggest security challenges.https://www.osmondvanhemert.nl/posts/250501-tech-tariffs-software-supply-chain/Thu, 01 May 2025 00:00:00 +0000https://www.osmondvanhemert.nl/posts/250501-tech-tariffs-software-supply-chain/New US tariffs on technology imports are sending ripples through hardware supply chains, cloud pricing, and software infrastructure planning.https://www.osmondvanhemert.nl/posts/250313-github-actions-supply-chain-attack/Thu, 13 Mar 2025 00:00:00 +0000https://www.osmondvanhemert.nl/posts/250313-github-actions-supply-chain-attack/A compromised GitHub Action exposed secrets from thousands of repositories, highlighting how CI/CD pipelines have become prime targets for supply chain attacks.https://www.osmondvanhemert.nl/posts/240627-polyfill-io-supply-chain-attack/Thu, 27 Jun 2024 00:00:00 +0000https://www.osmondvanhemert.nl/posts/240627-polyfill-io-supply-chain-attack/The polyfill.io domain was acquired by a Chinese company and began injecting malware into over 100,000 websites, exposing fundamental weaknesses in how we trust third-party CDN dependencies.https://www.osmondvanhemert.nl/posts/240328-xz-utils-backdoor-cve-2024-3094/Thu, 28 Mar 2024 00:00:00 +0000https://www.osmondvanhemert.nl/posts/240328-xz-utils-backdoor-cve-2024-3094/A sophisticated supply chain attack via the xz Utils compression library was caught just days before reaching stable Linux distributions.https://www.osmondvanhemert.nl/posts/230629-moveit-breach-supply-chain-security/Thu, 29 Jun 2023 00:00:00 +0000https://www.osmondvanhemert.nl/posts/230629-moveit-breach-supply-chain-security/The MOVEit Transfer vulnerability has now impacted hundreds of organizations worldwide — a stark reminder that managed file transfer tools remain critical and under-secured attack surfaces.https://www.osmondvanhemert.nl/posts/230601-moveit-zero-day-supply-chain-nightmare/Thu, 01 Jun 2023 00:00:00 +0000https://www.osmondvanhemert.nl/posts/230601-moveit-zero-day-supply-chain-nightmare/A critical zero-day in Progress MOVEit Transfer is being actively exploited, and the scope of the damage is still emerging.https://www.osmondvanhemert.nl/posts/221215-log4shell-one-year-later/Thu, 15 Dec 2022 00:00:00 +0000https://www.osmondvanhemert.nl/posts/221215-log4shell-one-year-later/A year after Log4Shell shook the software industry, we examine what’s improved in supply chain security — and what still keeps us up at night.https://www.osmondvanhemert.nl/posts/220317-node-ipc-protestware-supply-chain/Thu, 17 Mar 2022 00:00:00 +0000https://www.osmondvanhemert.nl/posts/220317-node-ipc-protestware-supply-chain/A popular npm package was deliberately sabotaged by its own maintainer, raising urgent questions about supply chain trust in open source.https://www.osmondvanhemert.nl/posts/220113-white-house-open-source-security-summit/Thu, 13 Jan 2022 00:00:00 +0000https://www.osmondvanhemert.nl/posts/220113-white-house-open-source-security-summit/The White House convened tech leaders to address open source security after Log4Shell. Here’s what was discussed and what it means for developers.https://www.osmondvanhemert.nl/posts/211216-software-supply-chain-security-after-log4j/Thu, 16 Dec 2021 00:00:00 +0000https://www.osmondvanhemert.nl/posts/211216-software-supply-chain-security-after-log4j/A week after Log4Shell, the patching chaos continues. But the bigger lesson is about software supply chain security and why we need SBOMs now.https://www.osmondvanhemert.nl/posts/211209-log4shell-zero-day/Thu, 09 Dec 2021 00:00:00 +0000https://www.osmondvanhemert.nl/posts/211209-log4shell-zero-day/A critical remote code execution vulnerability in Apache Log4j has sent the entire industry scrambling. Here’s what you need to know and do right now.https://www.osmondvanhemert.nl/posts/211111-npm-coa-rc-supply-chain-attacks/Thu, 11 Nov 2021 00:00:00 +0000https://www.osmondvanhemert.nl/posts/211111-npm-coa-rc-supply-chain-attacks/Popular npm packages coa and rc were hijacked to distribute malware, impacting thousands of projects and raising urgent questions about supply chain security.https://www.osmondvanhemert.nl/posts/211021-ua-parser-js-npm-supply-chain-attack/Thu, 21 Oct 2021 00:00:00 +0000https://www.osmondvanhemert.nl/posts/211021-ua-parser-js-npm-supply-chain-attack/The popular ua-parser-js npm package was hijacked to deliver cryptominers and credential stealers, affecting millions of weekly downloads.https://www.osmondvanhemert.nl/posts/210708-kaseya-vsa-supply-chain-ransomware/Thu, 08 Jul 2021 00:00:00 +0000https://www.osmondvanhemert.nl/posts/210708-kaseya-vsa-supply-chain-ransomware/The REvil ransomware group exploited Kaseya’s VSA platform to hit over 1,500 businesses simultaneously. This is what supply chain attacks look like at scale.https://www.osmondvanhemert.nl/posts/210415-codecov-supply-chain-attack/Thu, 15 Apr 2021 00:00:00 +0000https://www.osmondvanhemert.nl/posts/210415-codecov-supply-chain-attack/Codecov’s compromised Bash Uploader script exposed CI/CD secrets for thousands of organizations, highlighting a systemic weakness in how we trust third-party tools in our build pipelines.https://www.osmondvanhemert.nl/posts/210401-php-git-server-compromise/Thu, 01 Apr 2021 00:00:00 +0000https://www.osmondvanhemert.nl/posts/210401-php-git-server-compromise/Attackers pushed malicious commits to PHP’s official Git repository, exposing the fragile trust model behind open-source supply chains.https://www.osmondvanhemert.nl/posts/210304-microsoft-exchange-hafnium-zero-day/Thu, 04 Mar 2021 00:00:00 +0000https://www.osmondvanhemert.nl/posts/210304-microsoft-exchange-hafnium-zero-day/Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited at scale, and the fallout is only beginning.https://www.osmondvanhemert.nl/posts/210211-solarwinds-supply-chain-security/Thu, 11 Feb 2021 00:00:00 +0000https://www.osmondvanhemert.nl/posts/210211-solarwinds-supply-chain-security/Three months after the SolarWinds breach disclosure, the full scope is still unfolding and the implications for software supply chain security demand fundamental changes in how we build and deploy software.https://www.osmondvanhemert.nl/posts/201217-solarwinds-supply-chain-attack/Thu, 17 Dec 2020 00:00:00 +0000https://www.osmondvanhemert.nl/posts/201217-solarwinds-supply-chain-attack/The SolarWinds supply chain attack is a watershed moment for software security — and it has profound implications for how we build, ship, and trust code.