Latest coverage for Supply Chain
Supply-chain attacks compromise trusted vendors or dependencies, potentially reaching downstream systems; verify provenance and limit access before deployment.
Refine the feed
Search across headline titles and summaries.
Tag briefing
Background for this topic.
Supply chain is the network of suppliers, software developers, service providers, components, and processes used to build and deliver an organization’s products or services. In a security threat model, it extends the trust boundary beyond the organization: a compromised supplier account, build system, software dependency, update mechanism, or hardware component can introduce malicious code, expose credentials, or undermine systems used by many customers.
Effective protection starts with mapping critical suppliers, dependencies, data flows, and access, then applying risk-based due diligence and least-privilege, segmented access. For software, maintain an inventory such as a software bill of materials, verify signed artifacts and update provenance where feasible, and monitor dependencies for vulnerabilities or unexpected changes. Contracts and technical controls should support timely notification and investigation. Response plans should cover revoking supplier access, isolating affected versions or integrations, determining exposure, and coordinating remediation with the provider.
Volume over time
Weekly headline count for the current query.
The AI Supply Chain Is Your Latest Unguarded Attack Surface
When You Consume AI, You Inherit Every Upstream Risk You Can't SeeMost enterprises don't build AI, they consume it through APIs, open-source models and orchestration frameworks. Each layer inherits upstream risk with little visibility. This piece maps the four-layer AI supply chain and the existing security disciplines that bring it under control.
When AI Agents Become Your Next Supply Chain Attack
Accenture Leak Could Enable Follow-On Attacks, Researchers Warn
Researchers Urge Organizations to Rotate Credentials and Review Audit LogsThreat actor 888 claims it stole Accenture source code and cloud credentials, prompting researchers to warn that any exposed Azure tokens, encryption keys or DevOps secrets could enable follow-on intrusions and downstream supply-chain attacks even as Accenture says operations remain unaffected.
Breach Roundup: ShinyHunters Leaks 26M MSG Records
Also, Arch Linux Attack, Estonia Quarantines Russian Emails, Joomla FlawThis week, ShinyHunters leaked alleged Madison Square Garden data, a U.S. senator pressed CISA on regional staffing cuts, an Arch Linux supply-chain attack, Mackay Sugar began recovery from a ransomware attack, Novo Nordisk faced dueling breach claims - and more compelling cybersecurity news.
Mastra AI Framework Poisoned in npm Supply-Chain Attack
Microsoft-Owned GitHub, Which Runs npm, Previews Supply-Chain Security FixesThe popular Mastra AI framework, used to build artificial intelligence agents, workflows and retrieval-augmented generation pipelines, has been poisoned by attackers, and Microsoft-owned GitHub has advised all developers to downgrade Mastra, pending compromised packages being found and eradicated.
Geopolitics Is Now a Cybersecurity Problem
UCL's Melanie Garson on Anti-Fragility, Supply Chain Risk and AI AdoptionGeopolitical exposure has quietly moved to the front of the security agenda, and most organizations are only now realizing how little they understand about where their risks originate, says Melanie Garson, associate professor of international security at UCL.
Vietnam's APT32 Targets Investors, Infrastructure Firm
Eset Says Threat Actor Redirected Efforts From Foreign OperationsEset linked OceanLotus, also known as APT32, to a supply-chain attack on Vietnam's FireAnt financial platform and a prolonged intrusion into a transport infrastructure company, suggesting the state-aligned threat actor is increasingly focused on gathering intelligence from domestic targets.
Miasma Worm Hits Microsoft's AI Coding Ecosystem
Attackers Compromised More Than 70 Microsoft Repositories in Under 2 MinutesAttackers linked to the Miasma supply-chain campaign compromised a Microsoft contributor account and pushed malicious code into more than 70 repositories, using artificial intelligence-assisted coding tools as an infection path to steal credentials and developer secrets at scale.
AI Governance Playbook Calls for Enterprise Risk Controls
Healthcare Coordinating Council Highlights AI Risks, Potential Medical MishapsHealthcare organizations face an array of difficult cybersecurity, privacy, patient safety, supply chain and operational resiliency issues as they roll out artificial intelligence tools. A new Health Sector Coordinating Council playbook aims to help by providing a voluntary governance framework.
Glassworm Group: Software Supply-Chain Attackers Disrupted
Suspected Russian Crime Group Built Resilient Command-and-Control InfrastructureIn a joint operation, CrowdStrike, Google and Shadowserver Foundation disrupted infrastructure used by the Glassworm cybercrime group, cutting off attackers from victims. The group has wielded a remote access Trojan to repeatedly target developers of widely used open-source software.
Socket Raises $60M for Wider Software Supply-Chain Defense
Funding at $1B Valuation Will Expand Controls Across Developer and AI EcosystemsSocket raised $60 million in a Thrive Capital-led Series C at a $1 billion valuation to expand its supply-chain security platform beyond package managers as AI coding tools increase enterprise exposure to malicious dependencies, browser extensions and developer tooling.
Automated 'Megalodon' Campaign Spreads GitHub Repo Backdoors
Supply-Chain Attack Uses Malicious GitHub Actions Workflow File to Steal SecretsMore than 5,000 GitHub repositories fell victim to an automated campaign, codenamed "Megalodon," in which an attacker injected malicious GitHub Actions that executed a script designed to steal development environment secrets, plus a variety of keys, tokens and other credentials, researchers said.
Only a Handful of CVEs Mattered for Supply Chain in 2025
Is the Vulnerability Exposed and Easily Exploitable?Not all supply chain vulnerabilities are alike. Between the exploding volume of new CVEs and the number of actual mass attacks, there lies a sweet spot of just dozens of vulnerabilities to quickly patch to head off risk. No company is able to address every new vulnerability.
Mass Supply-Chain Attack Slams npm and PyPi, Hits Mistral AI
Latest Mini Shai-Hulud Worm Steals Credentials, Includes Wiper, Now Open SourceA new Shai-Hulud variant has infected multiple npm repositories and jumped to other widely used JavaScript and Python packages. Designed to rapidly propagate, the worm steals over 100 different types of credentials and can wipe systems, including if developers try to delete it.
BlueVoyant Prepares SaaS Push Under New CEO John Hernandez
BlueVoyant Seeks to Expand Beyond MDR Clients Into Firms With Mature In-House SOCsBlueVoyant named John Hernandez - the former leader of Quest's Microsoft security business - as its next CEO to drive an agentic AI SaaS platform that expands the vendor beyond managed services and helps customers accelerate detection, response and supply-chain risk management.
North Koreans Spy on Defectors Via Android Game Apps
Website Popular in Korean Ethnic Enclave in China Hosts Apps Laced With a BackdoorA North Korean hacking group has been spying on a Korean ethnic enclave in China by infiltrating the Android apps of a regional gaming platform that hosts digital card and board games. Researchers attributed the supply-chain attack to a threat actor that Eset tracks as ScarCruft.
Socket Buys Secure Annex to Expand Supply-Chain Visibility
Combined Platform Spans Dependencies, Extensions, Developer ToolsSocket’s acquisition of Secure Annex extends software supply-chain security beyond open-source dependencies into browser and IDE extensions, addressing AI-driven development risks and fragmented visibility across modern developer workflows.
Pentagon's Anthropic Fight Draws Rebuke From Ex-DOD Leaders
Former Officials, Tech Groups Say Anthropic Designation Is Illegal - and DangerousFormer U.S. defense and intelligence officials argue the Pentagon's designation of Anthropic as a supply-chain risk was politically motivated and legally flawed, warning it could erode trust in government contracting and weaken the defense AI ecosystem.
Flurry of Supply-Chain Software Library Attacks
Continuous Integration Has Its DownsidesAs supply-chain attacks against widely-used, open-source software repositories continue, experts are urging developers to not only rely on code integrity tools, but also to introduce a delay before merging new repos, since unfolding attacks tend to get spotted in days, if not hours or minutes.