supply-chain attack

10 articles

IndonesianFoods Spam Campaign: 89 000 junk packages in npm

Spam packages in npm: what are they and why are they dangerous?

In November 2025, the npm ecosystem was hit by a flood of junk packages that were part of the IndonesianFoods malicious campaign. We’re breaking down the lessons learned from this incident.

Popular npm packages compromised

Popular npm packages compromised

Unknown attackers have compromised several popular npm packages in a supply-chain attack.

Phishing attack on PyPi and AMO developers

Phishers targeting PyPi and AMO developers

Attackers are sending phishing emails to developers of PyPi packages and Firefox add-ons.

Supply chain attack via GitHub Action

Attack on DevOps: secrets leaked via malicious GitHub Action

How to respond to a compromised GitHub changed-files Action incident.

The biggest supply chain attacks in 2024

Supply-chain attacks in 2024

We look at the most notable supply-chain attacks of 2024.

Why you need to remove the Polyfill.io script from your website

Remove Polyfill.io from your website

The JavaScript CDN service Polyfill.io has started spreading malicious code. Remove the service’s script from your website.

CVE-2024-3094: malicious code in Linux distributions

Malicious code discovered in Linux distributions

A backdoor implanted into XZ Utils has found its way into popular Linux distributions.

Review and analysis of fake Trezor cryptowallet

Case study: fake hardware cryptowallet

Full review of a fake cryptowallet incident. It looks and feels like a Trezor wallet, but puts all your crypto-investments into the hands of criminals.

PHP language source code compromise attempt

Unknown attackers tried to add a backdoor to PHP scripting language source code.

Do not become a link in a supply chain attack

Even if you are really not an interesting target for an APT actor, you can still be used in a malware delivery chain