https://shieldedstack.com/blog Supply chain security deep-dives from ShieldedStack. en Mon, 22 Jun 2026 04:35:53 GMT https://shieldedstack.com/blog/the-weekly-dependency-threat-report-2026-06-20 https://shieldedstack.com/blog/the-weekly-dependency-threat-report-2026-06-20 Mon, 22 Jun 2026 04:34:43 GMT This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. @mastra/client-js (npm) * Package: https://www.npmjs.com/package/@mastra/client-js * Severity: critical * Affected versions: 1.24.1 * Downloads: 250837 * First seen: 17 June 2026 at 03:32 UTC @mastra/client-js@1.24.1 was trojanized as part of a coordinated supply chain attack on the @mastra npm organization on 2026-06-17 between 01:12-02:24 UTC. A compromised mai noreply@shieldedstack.com (Alex Wichmann) https://shieldedstack.com/blog/the-hidden-risk-of-license-changes-in-open-source-dependencies https://shieldedstack.com/blog/the-hidden-risk-of-license-changes-in-open-source-dependencies Mon, 15 Jun 2026 08:19:59 GMT Most teams think about dependency risk in terms of CVEs, malware, and typosquatting. But there is another kind of supply-chain risk that can hit just as hard: a package you already trust can change its license in a later release, turning a routine upgrade into a legal and operational problem. That is why license-change alerts matter. When a dependency moves from a permissive license to AGPL, a commercial license, or some other policy-breaking model, the right time to catch it is before the pack noreply@shieldedstack.com (Alex Wichmann) https://shieldedstack.com/blog/the-weekly-dependency-threat-report-2026-06-14 https://shieldedstack.com/blog/the-weekly-dependency-threat-report-2026-06-14 Mon, 15 Jun 2026 06:55:16 GMT This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. @builder.io/dev-tools (npm) * Package: https://www.npmjs.com/package/@builder.io/dev-tools * Severity: critical * Affected versions: 1.65.0 * Downloads: 35136 * First seen: 11 June 2026 at 00:19 UTC Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code. 2. events-runtime (npm) * Package: https://www.npmjs.com/package/events noreply@shieldedstack.com (Alex Wichmann) https://shieldedstack.com/blog/top-10-malicious-compromised-packages-2026-06-07 https://shieldedstack.com/blog/top-10-malicious-compromised-packages-2026-06-07 Mon, 08 Jun 2026 00:01:00 GMT This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. puppeteer-core (npm) * Package: https://www.npmjs.com/package/puppeteer-core * Severity: critical * Affected versions: 25.1.0 * Downloads: 18014723 * First seen: 2 June 2026 at 13:38 UTC Typosquatting attack. Similar to popular package: unknown. Behaviors: data exfiltration, code execution, obfuscated code. 2. @puppeteer/browsers (npm) * Package: https://www. noreply@shieldedstack.com (Alex Wichmann) https://shieldedstack.com/blog/top-10-malicious-compromised-packages-2026-05-31 https://shieldedstack.com/blog/top-10-malicious-compromised-packages-2026-05-31 Mon, 01 Jun 2026 00:01:00 GMT This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. events-channel (npm) * Package: https://www.npmjs.com/package/events-channel * Severity: critical * Affected versions: all * Downloads: 39778 * First seen: 25 May 2026 at 16:42 UTC Sophisticated npm typosquatting supply chain attack combining fake 15-year git history forgery with cryptocurrency theft malware. Attacker created throwaway account 'tamekacooke21' on noreply@shieldedstack.com (Alex Wichmann) https://shieldedstack.com/blog/nuget-supply-chain-security-a-practical-guide https://shieldedstack.com/blog/nuget-supply-chain-security-a-practical-guide Fri, 29 May 2026 08:05:48 GMT Your NuGet packages are a bigger attack surface than your code. Think about it: when was the last time you audited a dependency before running dotnet add package? You check the download count, maybe the GitHub stars, and move on. Meanwhile, you're trusting not just that package author, but every transitive dependency, every maintainer with commit access, and every build system that touched the release. The 2021 SolarWinds breach wasn't a sophisticated zero-day exploit. It was a compromised bui noreply@shieldedstack.com (Alex Wichmann) https://shieldedstack.com/blog/top-10-malicious-compromised-packages-2026-05-25 https://shieldedstack.com/blog/top-10-malicious-compromised-packages-2026-05-25 Mon, 25 May 2026 19:52:19 GMT This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. durabletask (pypi) * Package: https://pypi.org/project/durabletask/ * Severity: critical * Affected versions: 1.4.1-1.4.3 * Downloads: 386297 * First seen: 19 May 2026 at 17:58 UTC TeamPCP compromised a legitimate PyPI contributor and published three malicious versions of durabletask (1.4.1, 1.4.2, 1.4.3) to PyPI — a Python package implementing Microsoft Azure's noreply@shieldedstack.com (Alex Wichmann) https://shieldedstack.com/blog/github-actions-security-checklist-for-the-supply-chain-attack-era https://shieldedstack.com/blog/github-actions-security-checklist-for-the-supply-chain-attack-era Sat, 16 May 2026 18:40:37 GMT GitHub Actions is one of the most convenient ways to automate builds, tests, releases, and deployments. It is also one of the easiest places to accidentally hand attackers a path into your software supply chain when workflow trust boundaries are too loose. That matters more now because recent supply chain incidents have followed the same pattern again and again: compromise the build path, steal a token, poison a release, and let downstream users do the rest. This checklist focuses on the mista noreply@shieldedstack.com (Alex Wichmann) https://shieldedstack.com/blog/how-shieldedstack-uses-kiota-to-keep-frontend-and-backend-in-sync https://shieldedstack.com/blog/how-shieldedstack-uses-kiota-to-keep-frontend-and-backend-in-sync Fri, 24 Apr 2026 20:45:52 GMT In ShieldedStack, the Control Plane frontend doesn’t manually define API calls. Instead, it consumes a fully generated, strongly typed TypeScript client. Built directly from the backend’s OpenAPI specification using Kiota. This approach keeps the frontend and backend in lockstep, eliminates drift, and removes a whole class of runtime errors caused by mismatched contracts. Build-Time: Generating the Client The process starts in the backend project (API). During the build, the API emits an Ope noreply@shieldedstack.com (Alex Wichmann)