Supply Chain Security

A popular npm package was deliberately sabotaged by its own maintainer, raising urgent questions about supply chain trust in open source.

The White House convened tech leaders to address open source security after Log4Shell. Here’s what was discussed and what it means for developers.

A week after Log4Shell, the patching chaos continues. But the bigger lesson is about software supply chain security and why we need SBOMs now.

A critical remote code execution vulnerability in Apache Log4j has sent the entire industry scrambling. Here’s what you need to know and do right now.

Popular npm packages coa and rc were hijacked to distribute malware, impacting thousands of projects and raising urgent questions about supply chain security.

The popular ua-parser-js npm package was hijacked to deliver cryptominers and credential stealers, affecting millions of weekly downloads.

The REvil ransomware group exploited Kaseya’s VSA platform to hit over 1,500 businesses simultaneously. This is what supply chain attacks look like at scale.

Codecov’s compromised Bash Uploader script exposed CI/CD secrets for thousands of organizations, highlighting a systemic weakness in how we trust third-party tools in our build pipelines.

Attackers pushed malicious commits to PHP’s official Git repository, exposing the fragile trust model behind open-source supply chains.

Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited at scale, and the fallout is only beginning.

Three months after the SolarWinds breach disclosure, the full scope is still unfolding and the implications for software supply chain security demand fundamental changes in how we build and deploy software.

The SolarWinds supply chain attack is a watershed moment for software security — and it has profound implications for how we build, ship, and trust code.