Supply Chain

[Hijacking GitHub Repositories by Deleting and Restoring Them

Blog by Joren Vrancken](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)

Open-source repositories flooded by 144,000 phishing packages

Cycode secures pipelines of thousands of open-source projects

SentinelSneak: Malicious PyPI module poses as security software development kit

[We sign code now

Trail of Bits Blog](https://blog.trailofbits.com/2022/11/08/sigstore-code-signing-verification-software-supply-chain/)

Repo Jacking: Exploiting the Dependency Supply Chain

https://twitter.com/i/communities/1590611905651040256

Batuhan (developer-guy) APAYDIN,https://www.linkedin.com/in/bthnapydin/

How to verify container images with Kyverno using KMS, Cosign, and Workload Identity | by developer-guy | sigstore Managing Kyverno Policies as OCI Artifacts with OCIRepository Sources | Flux Verify the integrity of the Helm Charts stored in OCI-compliant registries as OCI artifacts | Flux Prove the Authenticity of OCI Artifacts | Flux Tekton Chains: The Supply Chain Security Manager for your Tekton Pipelines - CD Foundation

[Software Delivery Shield protects the software supply chain

Google Cloud Blog](https://cloud.google.com/blog/products/devops-sre/introducing-software-delivery-shield-from-google-cloud)

[Even with all eyes on software supply chain security, open source remains a neglected target

SC Media](https://www.scmagazine.com/feature/devops/even-with-all-eyes-on-software-supply-chain-security-open-source-remains-a-neglected-target)

Threat Alert: Private npm Packages Disclosed via Timing Attacks

We at Aqua Nautilus have discovered that npm’s API allows threat actors to execute a timing attack that can detect whether private packages exist on the package manager. By creating a list of possible package names, threat actors can detect organizations’ scoped private packages and then masquerade public packages, tricking employees and users into downloading them.

We have disclosed this information to GitHub which, in response, replied that this architecture of the API is by design.

“Architectural nuances prevent us from systematically preventing timing attacks from determining whether a specific package exists.”

Dino A. Dai Zovi on Twitter: “The control that you really want here is binary authorization (aka BinAuthz) where your production compute only accepts artifacts signed by the key expected for the production build pipeline. This can be enforced by a k8s admission controller, for example. Developers init deploy.” / Twitter

SLSA • Executive Order on Secure Supply Chain — in Plain English

What is a software supply chain attack? - by Walter Haydock

Mistrust Plugins You Must: A Large-Scale Study Of Malicious Plugins In WordPress Marketplaces

[Backdoored developer tool that stole credentials escaped notice for 3 months

Ars Technica](https://arstechnica.com/gadgets/2021/04/backdoored-developer-tool-that-stole-credentials-escaped-notice-for-3-months/)

oss-ssc-framework/framework.md at main · microsoft/oss-ssc-framework This guide outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. TODO

(1) Mark Manning on Twitter: “Securing open source software supply chain including threats, assessment strategy, (another) maturity model. Lot of information here. https://t.co/GjqpqfBljQ” / Twitter

Securing CI/CD Pipelines, Kyverno Policies, Tekton, Kyverno

lukehinds/policy-controller-demo: demo of keyless signing with the sigstore kubernetes policy controller

LISA15 - Continuous Acceleration: Why Continuous Everything Needs a Supply Chain Approach - YouTube

Malware floods npm and PyPi registries in supply-chain attacks - Security - iTnews

(2) Chip Zoller on Twitter: “New week, new blog: Attesting Image Scans with Kyverno https://t.co/lpXmhcg4xq Learn how to provide regular, attested vulnerability scans and enforce them using a combination of @github Action, @AquaSecTeam Trivy, @projectsigstore Cosign, and @kyverno all within @kubernetesio.” / Twitter

All software is guilty until proven innocent - FCW

[LofyLife: malicious npm packages steal Discord tokens and bank card data

Securelist](https://securelist.com/lofylife-malicious-npm-packages/107014/)

Attacking Modern Environments Series: Attack Vectors on Terraform Environments | Mazin Ahmed https://twitter.com/mazen160

firefart/hijagger: Checks all maintainers of all NPM and Pypi packages for hijackable packages through domain re-registration https://twitter.com/firefart

[After the Advisory