supply chainThe most notable supply-chain attacks of 2025
In 2025, just as in the year prior, supply-chain attacks remained one of the most severe threats facing organizations. We’re breaking down last year’s most noteworthy incidents.
supply-chain attack
11 articles
Spam packages in npm: what are they and why are they dangerous?
In November 2025, the npm ecosystem was hit by a flood of junk packages that were part of the IndonesianFoods malicious campaign. We’re breaking down the lessons learned from this incident.
supply-chain attackPopular npm packages compromised
Unknown attackers have compromised several popular npm packages in a supply-chain attack.
phishingPhishers targeting PyPi and AMO developers
Attackers are sending phishing emails to developers of PyPi packages and Firefox add-ons.
Attack on DevOps: secrets leaked via malicious GitHub Action
How to respond to a compromised GitHub changed-files Action incident.
Remove Polyfill.io from your website
The JavaScript CDN service Polyfill.io has started spreading malicious code. Remove the service’s script from your website.
LinuxMalicious code discovered in Linux distributions
A backdoor implanted into XZ Utils has found its way into popular Linux distributions.
Case study: fake hardware cryptowallet
Full review of a fake cryptowallet incident. It looks and feels like a Trezor wallet, but puts all your crypto-investments into the hands of criminals.
PHP language source code compromise attempt
Unknown attackers tried to add a backdoor to PHP scripting language source code.
SAS 2018Do not become a link in a supply chain attack
Even if you are really not an interesting target for an APT actor, you can still be used in a malware delivery chain