Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Supply chain attacks, particularly those targeting continuous integration/continuous delivery (CI/CD) pipelines, are on the rise. It’s easy to think of these attacks as something that only happens to others, but the reality is that your organization is part of the supply chain too. Whether your company develops software for internal use, offers it as part of a service to your customers, or sells it as a product, you’re exposed.

No organization can achieve its goals on its own. To truly get ahead in the rapidly transitioning digital society, any organization will need a diverse group of partners who specialize in the products and services they do not. Commonly referred to as a “supply chain” this web of connections ensures the world operates smoothly, but navigating its many connections is challenging. Luckily, Bitsight TRACE doesn’t shy away from a challenge.

The tj-actions/changed-files GitHub Action, which is currently used in over 23,000 repositories, has been compromised, leaking secrets through workflow logs and impacting thousands of CI pipelines. All tagged versions were modified, making tag-based pinning unsafe. Public repositories are at the highest risk, but private repos should also verify their exposure.

On March 14, 2025, StepSecurity uncovered a compromise in the popular GitHub Action tj-actions/changed-files. Tens of thousands of repositories use this action to track file changes, and it is now known to have been tampered with, posing a risk to both public and private projects. A CVE has been created for this issue: CVE-2025-30066.

North Korea’s Lazarus Group is evolving its tactics again. The latest campaign, dubbed Operation Marstech Mayhem, introduces an advanced implant named “Marstech1.” This malware is designed to compromise software developers and cryptocurrency wallets through manipulated open-source repositories. Unlike previous Lazarus operations, this campaign employs obfuscation techniques that make detection significantly harder. Read the full report here.

Supply chain security is no longer just an IT issue, it’s a critical business concern. As recent high-profile breaches like the MOVEit vulnerability have shown, a single vulnerability in a vendor’s system can have a cascading effect, disrupting operations and damaging reputations across the entire supply chain. This shift in the threat landscape demands a new approach to cybersecurity that prioritizes collaboration, resilience, and a proactive defense strategy.

Cyber hackers always find ways to make their strategies more perfect in countermanding the security measures, and the XE Group is no exception. Hailing from Vietnam, initially famous for its credit card skimming operations, the cyber threat entity now engages itself in supply chain hacking. This sophistication and flexibility are proved by exploiting two newly identified zero-day vulnerabilities in VeraCore's warehouse management software.

Software supply chain security risks are mounting. As noted in Veracode’s State of Software Security (SoSS) report, organizations of all sizes are drowning in security debt, and a large portion of the critical debt can be attributed to third-party vulnerabilities.