Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

How GitHub Plans to Fix the Supply Chain - The 443 Podcast - Episode 345

This week on the podcast, we discuss Cisco's recent zero-day vulnerabilities before covering a Microsoft Threat Intelligence post on a phishing campaign that abuses SVG files. After that, we review GitHub's proposed changes for securing the open source software supply chain.

The Weak Link: Recent Supply Chain Attacks Examined

Originally published: April 2023 Updated: September 2025 Supply chain attacks are a growing and increasingly sophisticated form of cyber threat. They target the complex network of relationships between organizations and their suppliers, vendors, and third-party service providers. These attacks exploit vulnerabilities that emerge due to the interconnected nature of digital supply chains, which often span multiple organizations, systems, and geographies.

EP 16 - Sensing the signals: The hidden risks in digital supply chains

Modern digital supply chains are increasingly complex and vulnerable. In this episode of Security Matters, host David Puner is joined by Retsef Levi, professor of operations management at the MIT Sloan School of Management, to explore how organizations can “sense the signals” of hidden risks lurking within their software supply chains, from open source dependencies to third-party integrations and AI-driven automation.

LevelBlue Spotlight Report Finds Manufacturers Struggling with the Impact of AI and Supply Chain Risk

LevelBlue’s newly released 2025 Spotlight Report: Cyber Resilience and Business Impact in Manufacturing, uncovered the different ways this sector has increased its understanding of the role cybersecurity must play moving forward, including the need to adopt a more proactive security posture to increase resilience and improve its defense mechanisms to combat AI-powered attacks.

Sandworm in the supply chain: Lessons from the Shai-Hulud npm attack on developer and machine identities

Do you know why Shai-Hulud should raise your hackles? Unless you’ve spent time on Arrakis in Frank Herbert’s Dune or the npm ecosystem this month, the name Shai-Hulud might not ring a bell. In Herbert’s world, Shai-Hulud is the colossal sandworm of Arrakis—feared, powerful, and destructive. In our world, I guess you could say the same thing. Shai-Hulud surfaced as a malware worm that tore through the npm software registry on Sept. 16–17, 2025.

6 Steps to Counter Fourth-Party Supply Chain Vendor Attacks

Managing a cybersecurity program is hard, but also very meaningful, work. Continuously managing the cybersecurity posture of your organization’s supply chain vendors can at times feel near impossible, afterall ensuring the cybersecurity of your suppliers is an order of magnitude leap in difficulty. Yet, criminals are demonstrating that despite these difficulties, this task requires our immediate attention, given the trending success in exploiting our businesses' trusted relationships.

NPM Ecosystem Under Siege: Self-Propagating Malware Compromises 187 Packages in a Huge Supply Chain Attack

The NPM ecosystem has been rocked by one of its widest supply chain attacks to date, with over 187 popular packages compromised by advanced malware capable of self-propagation and automated credential harvesting. This attack, affecting packages with millions of weekly downloads including angulartics2, ngx-toastr, and @ctrl/tinycolor, demonstrates how cybercriminals are evolving their tactics to create “worm-like” malware that can autonomously spread across the software supply chain.

Shai-Hulud: A Persistent Secret Leaking Campaign

On September 15, a new supply chain attack was identified that targeted the @ctrl/tinycolor and 150 other NPM packages. The attack scenario was similar to the one used in the s1ngularity and GhostActions campaigns. The threat actors combined a local environment secrets extraction with a malicious GitHub actions workflow injection in accessible projects. The compromised packages' structure has been detailed in blog posts by socket.dev and StepSecurity.