InfoSec - Supply chain attacks

Broad overview

https://blog.trailofbits.com/2025/09/24/supply-chain-attacks-are-exploiting-our-assumptions/

• History of largest attacks
• PyPI Trusted Publishing and attestations
• brew verify
• gocaps
• Zizmor for static analysis of GitHub Actions

Counter-rmeasures

https://obsidian.md/blog/less-is-safer/

• choosing fewer dependencies
• shallow graphs
• exact version pins
• no postinstall
• a slow, review-heavy upgrade cadence

https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

• dependency cooldowns

https://sitezwin.com/posts/2025-11-29-sha-hulud-the-second-coming-encouter/

Examples

https://words.filippo.io/compromise-survey/

https://newsletter.cybersecurityhq.com/p/configuration-is-destiny-the-devops-missteps-driving-modern-breaches

https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

• xzutils example
• other attempts
• ways to defend your project

https://luj.fr/blog/how-nixos-could-have-detected-xz.html

• xz example and how it affected Nixpkgs bootstrap
• countermeasures

Attempted attacks

https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/

• attack tp steal GitHub access tokens
• target: PyPI
• replace long-lived tokens with Trusted Publisher’s short-lived ones

Package repository security

https://repos.openssf.org/principles-for-package-repository-security.html

Tools

https://guac.sh/why-guac/

Examples

Go - Typosquatting + persistent module cache

https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence