Blog

Supply chain security, written from the inside.

Attack post-mortems, technical deep-dives, and practical guidance for engineering teams running on-premises dependency security.

The Weekly Dependency Threat Report: 2026-06-20

This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. @mastra/client-js (npm) * Package: https://www.npmjs.com/package/@mastra/client-js * Severity: critical * Affected versions: 1.24.1 * Downloads: 250837 * First seen: 17 June 2026 at 03:32 UTC @mastra/client-js@1.24.1 was trojanized as part of a coordinated supply chain attack on the @mastra npm organization on 2026-06-17 between 01:12-02:24 UTC. A compromised mai

22 June 2026

8 min read

The hidden risk of license changes in open-source dependencies

Most teams think about dependency risk in terms of CVEs, malware, and typosquatting. But there is another kind of supply-chain risk that can hit just as hard: a package you already trust can change its license in a later release, turning a routine upgrade into a legal and operational problem. That is why license-change alerts matter. When a dependency moves from a permissive license to AGPL, a commercial license, or some other policy-breaking model, the right time to catch it is before the pack

15 June 2026

4 min read

The Weekly Dependency Threat Report: 2026-06-14

This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. @builder.io/dev-tools (npm) * Package: https://www.npmjs.com/package/@builder.io/dev-tools * Severity: critical * Affected versions: 1.65.0 * Downloads: 35136 * First seen: 11 June 2026 at 00:19 UTC Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code. 2. events-runtime (npm) * Package: https://www.npmjs.com/package/events

15 June 2026

3 min read

Top 10 malicious / compromised packages – 2026-06-07

This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. puppeteer-core (npm) * Package: https://www.npmjs.com/package/puppeteer-core * Severity: critical * Affected versions: 25.1.0 * Downloads: 18014723 * First seen: 2 June 2026 at 13:38 UTC Typosquatting attack. Similar to popular package: unknown. Behaviors: data exfiltration, code execution, obfuscated code. 2. @puppeteer/browsers (npm) * Package: https://www.

8 June 2026

5 min read

Top 10 malicious / compromised packages – 2026-05-31

This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. events-channel (npm) * Package: https://www.npmjs.com/package/events-channel * Severity: critical * Affected versions: all * Downloads: 39778 * First seen: 25 May 2026 at 16:42 UTC Sophisticated npm typosquatting supply chain attack combining fake 15-year git history forgery with cryptocurrency theft malware. Attacker created throwaway account 'tamekacooke21' on

1 June 2026

3 min read

NuGet Supply Chain Security: A Practical Guide

Your NuGet packages are a bigger attack surface than your code. Think about it: when was the last time you audited a dependency before running dotnet add package? You check the download count, maybe the GitHub stars, and move on. Meanwhile, you're trusting not just that package author, but every transitive dependency, every maintainer with commit access, and every build system that touched the release. The 2021 SolarWinds breach wasn't a sophisticated zero-day exploit. It was a compromised bui

29 May 2026

4 min read

Top 10 malicious / compromised packages – 2026-05-25

This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. durabletask (pypi) * Package: https://pypi.org/project/durabletask/ * Severity: critical * Affected versions: 1.4.1-1.4.3 * Downloads: 386297 * First seen: 19 May 2026 at 17:58 UTC TeamPCP compromised a legitimate PyPI contributor and published three malicious versions of durabletask (1.4.1, 1.4.2, 1.4.3) to PyPI — a Python package implementing Microsoft Azure's

25 May 2026

5 min read

GitHub Actions Security Checklist for the Supply Chain Attack Era

GitHub Actions is one of the most convenient ways to automate builds, tests, releases, and deployments. It is also one of the easiest places to accidentally hand attackers a path into your software supply chain when workflow trust boundaries are too loose. That matters more now because recent supply chain incidents have followed the same pattern again and again: compromise the build path, steal a token, poison a release, and let downstream users do the rest. This checklist focuses on the mista

16 May 2026

5 min read

How ShieldedStack Uses Kiota to Keep Frontend and Backend in Sync

In ShieldedStack, the Control Plane frontend doesn’t manually define API calls. Instead, it consumes a fully generated, strongly typed TypeScript client. Built directly from the backend’s OpenAPI specification using Kiota. This approach keeps the frontend and backend in lockstep, eliminates drift, and removes a whole class of runtime errors caused by mismatched contracts. Build-Time: Generating the Client The process starts in the backend project (API). During the build, the API emits an Ope

24 April 2026

1 min read

Subscribe via RSS

New posts on supply chain attacks, dependency security, and EU sovereignty as they ship.

RSS feed