Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Modern digital supply chains are increasingly complex and vulnerable. In this episode of Security Matters, host David Puner is joined by Retsef Levi, professor of operations management at the MIT Sloan School of Management, to explore how organizations can “sense the signals” of hidden risks lurking within their software supply chains, from open source dependencies to third-party integrations and AI-driven automation.

LevelBlue’s newly released 2025 Spotlight Report: Cyber Resilience and Business Impact in Manufacturing, uncovered the different ways this sector has increased its understanding of the role cybersecurity must play moving forward, including the need to adopt a more proactive security posture to increase resilience and improve its defense mechanisms to combat AI-powered attacks.

Do you know why Shai-Hulud should raise your hackles? Unless you’ve spent time on Arrakis in Frank Herbert’s Dune or the npm ecosystem this month, the name Shai-Hulud might not ring a bell. In Herbert’s world, Shai-Hulud is the colossal sandworm of Arrakis—feared, powerful, and destructive. In our world, I guess you could say the same thing. Shai-Hulud surfaced as a malware worm that tore through the npm software registry on Sept. 16–17, 2025.

Managing a cybersecurity program is hard, but also very meaningful, work. Continuously managing the cybersecurity posture of your organization’s supply chain vendors can at times feel near impossible, afterall ensuring the cybersecurity of your suppliers is an order of magnitude leap in difficulty. Yet, criminals are demonstrating that despite these difficulties, this task requires our immediate attention, given the trending success in exploiting our businesses' trusted relationships.

The NPM ecosystem has been rocked by one of its widest supply chain attacks to date, with over 187 popular packages compromised by advanced malware capable of self-propagation and automated credential harvesting. This attack, affecting packages with millions of weekly downloads including angulartics2, ngx-toastr, and @ctrl/tinycolor, demonstrates how cybercriminals are evolving their tactics to create “worm-like” malware that can autonomously spread across the software supply chain.

On September 15, a new supply chain attack was identified that targeted the @ctrl/tinycolor and 150 other NPM packages. The attack scenario was similar to the one used in the s1ngularity and GhostActions campaigns. The threat actors combined a local environment secrets extraction with a malicious GitHub actions workflow injection in accessible projects. The compromised packages' structure has been detailed in blog posts by socket.dev and StepSecurity.

This is an ongoing incident and updates will be provided as more information is confirmed.

Dear reader, This week has been a strange one. Over the past few months, we’ve seen a string of significant supply chain attacks. The community has been sounding the alarm for a while, and the truth is we’ve been skating on thin ice. It feels inevitable that something bigger, something worse, is coming. In this post, I want to share some of the key takeaways from this week.

On September 8, 2025, a large-scale npm supply chain attack quickly compromised 18 popular packages (with the 18 packages representing more than 2.6 billion weekly downloads within the bioinformatics ecosystem). Attackers hijacked a maintainer’s account by impersonating npm support in a phishing campaign to upload backdoored versions of popular packages like chalk, debug, ansi-styles, and supports-color.

LevelBlue’s Security & Compliance Team is aware of the Salesloft vulnerability affecting Drift chatbot integrations. LevelBlue, and its affiliated entities, do not utilize Drift, and Salesforce has confirmed the incident did not impact clients without this integration. Based on current information, we confirm there has been no exposure or impact to us or our clients. Should new information arise that alters this assessment, we will provide an update directly.