Topic

#Supply Chain Security

13 articles on Supply Chain Security — news, releases, guides and analysis from the SourceFeed engine.

Article 3d ago 5

Inside PinpinRAT: How APTs Hijack Developer Build Pipelines

A failed social engineering attack on a crates.io maintainer reveals highly stealthy local execution techniques.

Ji-ho Choi

AI Coding Assistants Turn Local Git Repos Into Cloud Exploits

A high-severity Amazon Q flaw highlights how Model Context Protocol configurations let malicious repositories run code and steal credentials.

Article · 3d ago2

The Cordyceps Exploits: Why Your CI/CD Pipelines Are Wide Open

A systemic workflow composition flaw exposes hundreds of major repositories, proving we must stop treating CI/CD as passive configuration.

Article · 5d ago0

Apple Absorbs Swift Package Index. Watch the Signing Plan.

The acquisition looks like a discovery upgrade, but the real story is who controls trust and identity for Swift's supply chain.

News · 5d ago2

GitHub Hardens actions/checkout to Block Pwn Request Attacks

The latest security update stops common pipeline exploits but leaves structural CI/CD risks for developers to manage.

Article · 6d ago0

The GitHub Clone Farm That Beat VirusTotal

A 10,000-repo Trojan campaign weaponizes GitHub's trust signals, search ranking and commit history — and the next mark is your AI agent.

Article · 1w ago2

Arch's AUR Malware Sprawl Hits 1,579 Packages

A user-repository compromise that started at 400 packages ballooned past 1,500 before Arch developers purged the malicious commits.

News · 2w ago6

Homebrew 6.0.0 Makes You Trust Your Taps

The package manager now gates third-party tap code behind explicit trust and extends Bubblewrap sandboxing to Linux.

Release · 2w ago7

npm v12 Is About to Stop Running Your Install Scripts — Here's What to Audit

The next npm major flips lifecycle scripts, Git, and remote-URL dependencies from opt-out to opt-in. The warnings are already live in 11.16.0, so you have until July to find out what breaks.

News · 2w ago5

Miasma Worm Hits Microsoft Packages Twice in Weeks — and Your SLSA Provenance Won't Save You

The Miasma credential stealer has now compromised the same Microsoft GitHub account twice, defeating cryptographic supply-chain guarantees and triggering silently when developers open packages in AI coding agents.

Article · 2w ago1

uv Gets Built-In Vulnerability and Malware Scanning

Astral's uv package manager adds `uv audit` and optional install-time malware checks powered by OSV, closing supply-chain gaps that separate tooling can't easily address.

News · 3w ago1

Config Files That Run Code: The Supply Chain Blind Spot Nobody Is Auditing

The Miasma worm didn't need a malicious dependency. It used .claude/settings.json, .vscode/tasks.json, and package.json to detonate a credential stealer — before you read a single line of code.

Article · 3w ago0

Config Files That Run Code: The Supply Chain Blindspot You're Probably Not Auditing

The Miasma worm hid a credential-stealing dropper inside ordinary config files for VS Code, Cursor, Claude Code, Gemini CLI, npm, Composer, and Bundler. Here's exactly how each vector works — and what to review before you clone.

Article · 3w ago0