supply chain security5 articles
Supply Chain Attack Hits Packagist: Eight PHP Packages Compromised via GitHub-Delivered Malware
Eight packages on Packagist, the primary dependency registry for PHP projects, were quietly backdoored in a supply chain attack that used GitHub infrastructure to serve Linux malware.
Megalodon Attack Poisons Thousands of GitHub Repos via CI/CD Hijacking
Someone has been systematically targeting GitHub repositories at scale.
Typosquatting Has Outgrown the User Error Excuse
Typosquatting was once seen as a relatively simple phishing threat: a user mistypes a domain, lands on a malicious site, and becomes compromised. That model is now outdated. Modern typosquatting has moved beyond browsers into software package registries, dependency managers, and CI/CD pipelines, making it a software supply chain security issue rather than a user-awareness problem.
A Poisoned VS Code Extension Just Breached 3,800 GitHub Repositories
GitHub has confirmed that approximately 3,800 internal repositories were compromised after an employee installed a malicious VS Code extension, which was subsequently removed from the VS Code Marketplace and the affected device secured. The hacker group TeamPCP has claimed responsibility, advertising the stolen data on a cybercrime forum for at least $50,000, though GitHub states there is no evidence that customer data outside the breached repositories was affected. This incident is part of a broader pattern of malicious VS Code extensions targeting developers, with TeamPCP also previously linked to supply chain attacks on platforms including PyPI, NPM, and Docker.
OpenAI Hit by TanStack Supply Chain Attack After Two Employee Machines Infected
OpenAI confirmed it was caught up in the "Mini Shai-Hulud" npm supply chain attack, in which malware hidden in compromised TanStack packages reached two employee devices and allowed attackers to steal a limited amount of internal credentials. The two affected machines had not yet received updated supply chain security controls that would have blocked the malicious dependency. As a precaution, OpenAI is rotating signing certificates for several desktop products — including ChatGPT Desktop, Codex App, and Codex CLI — and says there is no evidence that customer data or production systems were compromised.