Thinking on software supply-chain security
Analysis of the threat landscape, explainers on the fundamentals, and case studies of the incidents that shaped the field. New to the topic? Start with Supply-Chain Security 101.
Analysis and opinion
Where the supply-chain threat landscape is heading, and what it means for how teams respond.
Adversaries Are Publishing at Scale. Speed Is Now the Only Defence.
A corpus of roughly 1,000 malicious packages impersonating TanStack libraries surfaced recently via jsDelivr telemetry. It is not an anomaly. It is the new baseline. The only meaningful response is to act faster than the blast radius can spread.
H2 2026: Packages Are the New Phishing Email, and Your Secrets Are the Target
Axios. LiteLLM. TeamPCP. Anthropic's AI adversary report. The first half of 2026 has given us enough signal to make a clear prediction: the second half will be worse. Malicious packages are not a supply chain problem any more. They are a credential theft problem. And most organisations are not set up to respond fast enough.
Mini Shai-Hulud: The Self-Replicating npm Worm That Should Change How You Think About Dependencies
The fourth campaign in the Shai-Hulud series has arrived. Mini Shai-Hulud targets SAP packages, TanStack and agentic AI libraries with a self-propagating worm that steals credentials, injects malicious code and spreads across your entire CI/CD estate before your scanner has filed a ticket.
AI Coding Is Creating Dependency Sprawl
AI coding assistants are transforming how software is built, but they are also quietly flooding enterprise codebases with unvetted dependencies at a scale security teams were never prepared for.
Why Dependency Hygiene Is the New AppSec Backlog
For years, application security teams have wrestled with vulnerability backlogs: thousands of findings, prioritised by severity, worked down slowly by engineering teams. Dependency hygiene is becoming the same problem, at greater scale.
From Detection to Orchestration in Software Supply Chain Security
The software supply chain security market has spent a decade getting very good at detection. The next decade belongs to orchestration: the operational layer that takes detection signals and turns them into controlled, verified remediation.
The fundamentals
Plain-English explainers on the attacks, defences, and standards that make up supply-chain security.
Dependency Confusion, Explained
How a public package can hijack your private one, and how to prevent it.
How Malicious Packages Hide: Obfuscation Techniques
Base64, eval, packing, and environment gating, the tricks that hide payloads from scanners and reviewers.
Indicators of Compromise (IOCs) in the Supply Chain
The concrete artifacts, IPs, domains, hashes, wallets, webhooks, that betray malicious packages.
Known vs Novel Malware in Dependencies
Why matching against known-bad lists isn't enough, and what catching novel threats actually takes.
Maintainer & Account Takeover
How attackers hijack trusted packages by taking over the people who publish them.
Malicious Install Scripts
Why install-time code execution is the supply chain's favourite weapon, and how to neutralise it.
MITRE ATT&CK for the Software Supply Chain
Mapping package attacks to a shared language of tactics and techniques.
Provenance & SLSA, Explained
Knowing not just what a package is, but how and where it was built.
Reachability Analysis, Explained
Most "critical" vulnerabilities never run in your app. Reachability tells you which ones do.
SBOMs, Explained
What a Software Bill of Materials is, why it's now table stakes, and where it stops being useful.
Secrets in Packages, Leaked and Stolen
Two secret problems in the supply chain, secrets accidentally shipped, and secrets actively stolen.
Software Supply-Chain Security 101
What the software supply chain is, how it gets attacked, and how to defend it.
Software Supply-Chain Security FAQ
Common questions about securing open-source dependencies, answered.
Software Supply-Chain Security Glossary
Plain-English definitions of the terms in supply-chain security, with links to go deeper.
Typosquatting in Package Registries, Explained
How attackers use look-alike package names to slip malware into your build, and how to stop it.
VEX, Explained
Vulnerability Exploitability eXchange, the standard way to say "present, but not exploitable here.
What Is a Registry Firewall?
Stop malicious packages before they're ever installed, by vetting at the registry layer.
Incidents worth learning from
Real supply-chain compromises, what made them work, and what defenders take away.
Case Study: PyTorch / torchtriton Dependency Confusion
How a malicious PyPI package hijacked PyTorch nightly builds via dependency confusion.
Case Study: SolarWinds / SUNBURST
The build-system compromise that redefined supply-chain risk for the whole industry.
Case Study: The Codecov Bash Uploader Compromise
A modified CI helper script quietly exfiltrated secrets from thousands of pipelines.
Case Study: The event-stream Incident
How a helpful "new maintainer" turned a popular npm package into a targeted crypto-wallet thief.
Case Study: The ua-parser-js Compromise
A hijacked npm account turned a hugely popular library into a malware dropper for hours.
Case Study: The XZ Utils Backdoor (CVE-2024-3094)
A multi-year social-engineering operation that planted a backdoor in a core Linux compression library.
See how Verifi puts this into practice
The platform turns this thinking into detection, enforcement, and automated remediation across your estate.