Supply Chain

[Hijacking GitHub Repositories by Deleting and Restoring Them Blog by Joren Vrancken](

Open-source repositories flooded by 144,000 phishing packages

Cycode secures pipelines of thousands of open-source projects

SentinelSneak: Malicious PyPI module poses as security software development kit

[We sign code now Trail of Bits Blog](

Repo Jacking: Exploiting the Dependency Supply Chain

Batuhan (developer-guy) APAYDIN,

How to verify container images with Kyverno using KMS, Cosign, and Workload Identity | by developer-guy | sigstore Managing Kyverno Policies as OCI Artifacts with OCIRepository Sources | Flux Verify the integrity of the Helm Charts stored in OCI-compliant registries as OCI artifacts | Flux Prove the Authenticity of OCI Artifacts | Flux Tekton Chains: The Supply Chain Security Manager for your Tekton Pipelines - CD Foundation

[Software Delivery Shield protects the software supply chain Google Cloud Blog](
[Even with all eyes on software supply chain security, open source remains a neglected target SC Media](

Threat Alert: Private npm Packages Disclosed via Timing Attacks

We at Aqua Nautilus have discovered that npm’s API allows threat actors to execute a timing attack that can detect whether private packages exist on the package manager. By creating a list of possible package names, threat actors can detect organizations’ scoped private packages and then masquerade public packages, tricking employees and users into downloading them.

We have disclosed this information to GitHub which, in response, replied that this architecture of the API is by design.

“Architectural nuances prevent us from systematically preventing timing attacks from determining whether a specific package exists.”

Dino A. Dai Zovi on Twitter: “The control that you really want here is binary authorization (aka BinAuthz) where your production compute only accepts artifacts signed by the key expected for the production build pipeline. This can be enforced by a k8s admission controller, for example. Developers init deploy.” / Twitter

SLSA • Executive Order on Secure Supply Chain — in Plain English

What is a software supply chain attack? - by Walter Haydock

Mistrust Plugins You Must: A Large-Scale Study Of Malicious Plugins In WordPress Marketplaces

[Backdoored developer tool that stole credentials escaped notice for 3 months Ars Technica](

oss-ssc-framework/ at main · microsoft/oss-ssc-framework This guide outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. TODO

(1) Mark Manning on Twitter: “Securing open source software supply chain including threats, assessment strategy, (another) maturity model. Lot of information here.” / Twitter

Securing CI/CD Pipelines, Kyverno Policies, Tekton, Kyverno

lukehinds/policy-controller-demo: demo of keyless signing with the sigstore kubernetes policy controller

LISA15 - Continuous Acceleration: Why Continuous Everything Needs a Supply Chain Approach - YouTube

Malware floods npm and PyPi registries in supply-chain attacks - Security - iTnews

(2) Chip Zoller on Twitter: “New week, new blog: Attesting Image Scans with Kyverno Learn how to provide regular, attested vulnerability scans and enforce them using a combination of @github Action, @AquaSecTeam Trivy, @projectsigstore Cosign, and @kyverno all within @kubernetesio.” / Twitter

All software is guilty until proven innocent - FCW

[LofyLife: malicious npm packages steal Discord tokens and bank card data Securelist](

Attacking Modern Environments Series: Attack Vectors on Terraform Environments | Mazin Ahmed

firefart/hijagger: Checks all maintainers of all NPM and Pypi packages for hijackable packages through domain re-registration

[After the Advisory Open Source Insights](

Transparently Immutable Tags using Sigstore’s Rekor

Update: IconBurst NPM software supply chain attack grabs data from apps and websites

[Introducing Gitsign. Keyless Git commit signing with… by Billy Lynch Jun, 2022 sigstore](

Spotify Techbytes presents Eric Brewer: “Security in Open Source” - YouTube

How to enhance supply chain security with GitLab and TestifySec | GitLab

[New from Google Cloud: Assured Open Source Software service Google Cloud Blog](
[How Google Cloud can help secure your software supply chain Google Cloud Blog](

(1) Lightning Talk: Repurposed Purpose: Using Git’s DAG for Supply Chain Artifact Resolution- Aeva Black - YouTube

TODO: go through previous Ryan Nairaine newsletter (before Oct 6, 2021), one of them 2 or 3 ago had a ton of great links.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

[Introducing: Chainguard, Inc. Chainguard, Inc.](

Complete Software Supply Chain Security - Cycode

npm audit: Broken by Design — Overreacted