#SoftwareSupplyChainSecurity

Anchore

@anchore.com

12 hours ago

HUGE NEWS! 📣

The "father of SBOM," @allanfriedman.bsky.social, is joining Anchore as a Board Advisor!

We sat down with him to discuss the future of #SoftwareSupplyChainSecurity and what comes after SBOM.... anchore.com/blog/anchore-welcomes-sb...

Sam Stepanyan

@securestep9.bsky.social

5 days ago

Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials Malicious npm package '@openclaw-ai/openclawai' downloaded 178 times installs GhostLoader RAT, stealing credentials and crypto wallets.

#NPM: A malicious npm package '@openclaw-ai/openclawai' is spreading a full RAT #malware disguised as an #OpenClaw installer. It steals browser data, macOS Keychain entries, crypto wallets, MacOS and cloud credentials:
#SoftwareSupplyChainSecurity
👇

ReversingLabs

@reversinglabs.com

1 week ago

BSIMM16 confirms it: AI redefines the AppSec landscape | ReversingLabs AI coding is the new reality — and it will further destabilize software supply chain security. So step up your AppSec.

BSIMM16 reinforces that #AIcoding is the new reality — and it will further destabilize #softwaresupplychainsecurity.
So step up your #AppSec. 👇
www.reversinglabs.com/blog/bsimm16...

Ortelius Open Source Vulnerability Management Project

@orteliusos.bsky.social

1 week ago

2026 BlogAThon 2026 BlogAThon

The 2026 Ortelius BlogAThon is officially started. Whether you’re just starting out or you’ve been in the trenches of #softwaresupplychainsecurity, we want to hear your voice. Submit a blog between April 1st and July 1st to earn a badge. Learn more at: https://cstu.io/814c6b

Sam Stepanyan

@securestep9.bsky.social

1 week ago

Trivy security incident 2026-03-01 · aquasecurity/trivy · Discussion #10265 Trivy has been attacked today via GitHub Actions, along with other popular projects: https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation. We believe the vulnerability came f...

#trivy: The GitHub repo of Cloud Security and Supply Chain Security vendor Aqua Security popular vulnerability scanner tool 'trivy' was compromised yesterday via GitHub Actions:
#SoftwareSupplyChainSecurity
👇

Sam Stepanyan

@securestep9.bsky.social

2 weeks ago

Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems Cline CLI 2.3.0 was published with a stolen npm token, installing OpenClaw in an 8-hour attack affecting ~4,000 downloads.

#NPM: If previously attackers hijacked NPM packages to install credential-stealing and data-stealing malware, in this latest hijack of Cline CLI the attackers installed #OpenClaw:
#SoftwareSupplyChainSecurity
👇

Anchore

@anchore.com

2 weeks ago

HUGE NEWS! 📣

The "father of SBOM," @allanfriedman.bsky.social, is joining Anchore as a Board Advisor!

We sat down with him to discuss the future of #SoftwareSupplyChainSecurity and what comes after SBOM.... anchore.com/blog/anchore-welcomes-sb...

Sam Stepanyan

@securestep9.bsky.social

3 weeks ago

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflow... An emerging npm supply chain attack that infects repos, steals CI secrets, and targets developer AI toolchains for further compromise.

#NPM: New Shai-Hulud–like supply chain worm is actively targeting the npm ecosystem with at least 19 malicious npm packages designed to steal developer & CI/CD secrets & automatically spread across repositories & workflows:
#SoftwareSupplyChainSecurity
👇

socket.dev/blog/sandwor...

ReversingLabs

@reversinglabs.com

1 month ago

Notepad++ hack marks an evolution of supply chain threats | ReversingLabs A months-long compromise of the popular source code editor underscores a diversification of attack methods. Here's why going beyond trust is key.

⛓️ The recent compromise of Notepad++ underscores supply chain attack method diversification. It also serves as a reminder for why going beyond implicit trust is a must: hubs.ly/Q041-Cb30
#SoftwareSupplyChainSecurity #AppSec #DevSecOps

Sam Stepanyan

@securestep9.bsky.social

1 month ago

Hackers exploit critical React Native Metro bug to breach dev systems Hackers are targeting developers by exploiting the critical vulnerability CVE-2025-11953 in the Metro server for React Native to deliver malicious payloads for Windows and Linux.

#ReactNative: Critical vulnerability in Metro server for #React Native CVE-2025-11953 allows unauthenticated attackers to execute arbitrary OS commands via a POST request is actively exploited - patch now!
#Metro4Shell
#SoftwareSupplyChainSecurity
👇
www.bleepingcomputer.com/news/securit...

ReversingLabs

@reversinglabs.com

1 month ago

Software Supply Chain Security Report: A 2025 retrospective | ReversingLabs ReversingLabs looked at last year's report in the rear-view mirror. Here's a retrospective with what the team got right -- and wrong.

🪞We looked back on what we predicted the #SoftwareSupplyChainSecurity threat landscape would be in 2025. Here's what we got right — & wrong: https://bit.ly/49UKS19

Sam Stepanyan

@securestep9.bsky.social

1 month ago

Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users State-backed attackers hijacked Notepad++ update traffic via a hosting provider breach, redirecting users to malicious downloads since June 2025.

#Notepad++ Official Update Mechanism Was Hijacked to Deliver Malware.

Notepad++ downloads between September 2 - December 2, 2025 were diverted to malicious servers.
#SoftwareSupplyChainSecurity
👇

ReversingLabs

@reversinglabs.com

1 month ago

📣 RL's 4th annual report on the state of #SoftwareSupplyChainSecurity is now available: https://bit.ly/3Fq6F3W

#AppSec #DevSecOps

Anchore

@anchore.com

1 month ago

HUGE NEWS! 📣

The "father of SBOM," @allanfriedman.bsky.social, is joining Anchore as a Board Advisor!

We sat down with him to discuss the future of #SoftwareSupplyChainSecurity and what comes after SBOM.... anchore.com/blog/anchore-welcomes-sb...

Sam Stepanyan

@securestep9.bsky.social

1 month ago

Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts A fake sympy-dev package on PyPI impersonates the SymPy library to download and run XMRig cryptominers on Linux using in-memory execution.

#Python : Malicious #PyPI Package called 'sympy-dev' Impersonates #SymPy, Deploys XMRig Miner on Linux Hosts:

#SoftwareSupplyChainSecurity
👇

ReversingLabs

@reversinglabs.com

1 month ago

SSDF 1.2 recognizes AppSec is a journey | ReversingLabs NIST has broadened the Secure Software Development Framework to include the full software development lifecycle. Here's why it matters.

NIST has broadened the Secure Software Development Framework (SSDF) to include the full SDLC. Here's what your #AppSec team needs to know: https://bit.ly/3ZksCbk

#DevSecOps #SoftwareSupplyChainSecurity

ReversingLabs

@reversinglabs.com

2 months ago

📆 Next Thursday: RL researchers break down real-world campaigns uncovered in the closing months of 2025 across NuGet, PyPI, PowerShell & VS Code: https://bit.ly/4sCIh3f

#SoftwareSupplyChainSecurity #Dev #Cybersecurity

ReversingLabs

@reversinglabs.com

2 months ago

How supply chain risk can affect your cyber insurance | ReversingLabs Here's why gaining visibility into supply chain threats -- and adding controls for software risk -- are essential to insurability.

⛓️‍💥 Eligibility for #CyberInsurance could hinge on the strength of #SoftwareSupplyChainSecurity & third-party risk management controls: https://bit.ly/3NmbJu5

#Cybersecurity #DevSecOps

ReversingLabs

@reversinglabs.com

2 months ago

🧵Introducing: 🚨New Feature Alert → a series dedicated to RL product updates! This week, we’re excited to unveil a dedicated #Malware page in the RL-SAFE Report: app.arcade.software/share/H7euVM...

#SoftwareSupplyChainSecurity #DevSecOps

ReversingLabs

@reversinglabs.com

2 months ago

SF² framework aims to help you scale SecOps wisely  | ReversingLabs The Software Factory Security Framework looks at scaling security operations as a resource-allocation problem -- not just head count.

⛓️ The open-source SF² presents security scaling as a strategic resource-allocation challenge rather than a staffing problem. Here's how it helps: https://bit.ly/3YijlQz

#SoftwareSupplyChainSecurity #DevSecOps #CISO

Anchore

@anchore.com

2 months ago

HUGE NEWS! 📣

The "father of SBOM," @allanfriedman.bsky.social, is joining Anchore as a Board Advisor!

We sat down with him to discuss the future of #SoftwareSupplyChainSecurity and what comes after SBOM.... anchore.com/blog/anchore-welcomes-sb...

ReversingLabs

@reversinglabs.com

2 months ago

Leveraging Spectra Assure and EDR to Mitigate Third-Party Software Risk | ReversingLabs Here's how to create a compensating control in Crowdstrike to mitigate specific risks in a commercial software package.

Pairing RL Spectra Assure for #SoftwareSupplyChainSecurity with an #EDR solution like #CrowdStrike Falcon offers robust third-party software risk management.👇 https://bit.ly/48GeONR

ReversingLabs

@reversinglabs.com

3 months ago

Can Frameworks Stop Supply Chain Attacks? | ReversingLabs Professor Laurie Williams and Ph.D. student Sivana Hamer of NC State discuss the effectiveness of software supply chain security frameworks.

⛓️‍💥 Can frameworks stop software supply chain attacks? We ask this in the latest episode of ConversingLabs #podcast: https://bit.ly/3MferkI

#Cybersecurity #SoftwareSupplyChainSecurity #GRC

ReversingLabs

@reversinglabs.com

3 months ago

Why AI and cloud-native are security game-changers | ReversingLabs Existing security practices weren't designed to tackle today's risks, CSA notes in new guide -- making updating tooling essential.

A new guide on #threatmodeling for the cloud in the era of AI has been released by the CSA. It calls out that existing security practices aren't cutting it for the new era: https://bit.ly/447HlJD

#AISecurity #CloudSecurity #SoftwareSupplyChainSecurity

ReversingLabs

@reversinglabs.com

3 months ago

🚨 AI has redefined software risk — shaping how both attackers & defenders operate. Register now to get the breakdown on these shifting dynamics: https://bit.ly/4oqSV9T

#AISecurity #SoftwareSupplyChainSecurity #AppSec

Sam Stepanyan

@securestep9.bsky.social

3 months ago

GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools GlassWorm spreads again using 24 fake extensions across Visual Studio Marketplace and Open VSX, hiding Rust implants & Solana-based C2 to target devs.

#VSCode: 24 malicious VS Code and #OpenVSX extensions are stealing developer credentials - spreading through popular names like Flutter, React, and Tailwind.

Full list of malicious VSCode extensions in the article below:
#SoftwareSupplyChainSecurity
👇

Sam Stepanyan

@securestep9.bsky.social

3 months ago

Malicious npm Package Uses Hidden Prompt and Script to Evade AI Security Tools Malicious npm package mimics an ESLint plugin, embeds an AI-tricking prompt, and steals environment variables via a post-install script.

#npm: Malicious NPM Package eslint-plugin-unicorn-ts-2 Uses Hidden Prompt and Script to Evade #AI Security Tools:
#SoftwareSupplyChainSecurity

👇

ReversingLabs

@reversinglabs.com

3 months ago

👀 Blog with full details & more updates can be found here: t.co/YP35k2Mweq

#npm #OSS #SoftwareSupplyChainSecurity

Sam Stepanyan

@securestep9.bsky.social

3 months ago

Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft Security vendors warn Sha1-Hulud has hijacked 25,000+ GitHub repos via npm packages, stealing cloud credentials or wiping dev home directories.

#NPM: Second Shai-Hulud Infection Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft:
#SoftwareSupplyChainSecurity
👇

ReversingLabs

@reversinglabs.com

3 months ago

OWASP Top 10 takes on software supply chain risk | ReversingLabs The Open Worldwide Application Security Project's widely used AppSec priority list is expanding to cover systemic risk to software security.

@owasp.org has proposed an update to its Top 10 list, which serves as a global standard for #AppSec. Here's what experts are saying about it: https://bit.ly/4iasFPq

#SoftwareSupplyChainSecurity #DevSecOps