2026 BlogAThon 2026 BlogAThon

The 2026 Ortelius BlogAThon is officially started. Whether you’re just starting out or you’ve been in the trenches of #softwaresupplychainsecurity, we want to hear your voice. Submit a blog between April 1st and July 1st to earn a badge. Learn more at: https://cstu.io/814c6b

A popular Python library just became a backdoor to your entire machine Supply chain attacks feel like they're becoming more and more common.

#LiteLLM Compromised! LiteLLM - a popular Python Library used by a lot of AI tooling got compromised on PyPI, and the malicious versions are stealing everything they can find on your machine:

#SoftwareSupplyChainSecurity

👇

TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials TeamPCP compromised 2 GitHub Actions post-March 19, 2026 breach, enabling credential theft and supply chain attacks.

#Checkmarx GitHub Actions and Open VSX extensions hacked and replaced with malware by the same TeamPCP who hacked Trivy last week.

#SoftwareSupplyChainSecurity
👇

Integrating Security into the Distribution Pipeline

Integrating Security into the Distribution Pipeline

beefed.ai/en/integrate-security-so...

#SoftwareSupplyChainSecurity #CodeSigning #VulnerabilityScanning #ArtifactPolicies #LeastPrivilegeDeployment

Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Trivy attack force-pushed 75 tags via GitHub Actions, exposing CI/CD secrets, enabling data theft and persistence across developer systems.

#Trivy, a popular open-source vulnerability scanner, was compromised - attackers hijacked 75 version tags in #GitHub Actions to deliver an infostealer.

It ran in CI pipelines, stealing creds and tokens, exfiltrating data:
#SoftwareSupplyChainSecurity
👇
thehackernews.com/2026/03/triv...

2026 BlogAThon 2026 BlogAThon

The 2026 Ortelius BlogAThon is officially started. Whether you’re just starting out or you’ve been in the trenches of #softwaresupplychainsecurity, we want to hear your voice. Submit a blog between April 1st and July 1st to earn a badge. Learn more at: https://cstu.io/814c6b

HUGE NEWS! 📣

The "father of SBOM," @allanfriedman.bsky.social, is joining Anchore as a Board Advisor!

We sat down with him to discuss the future of #SoftwareSupplyChainSecurity and what comes after SBOM.... anchore.com/blog/anchore-welcomes-sb...

Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials Malicious npm package '@openclaw-ai/openclawai' downloaded 178 times installs GhostLoader RAT, stealing credentials and crypto wallets.

#NPM: A malicious npm package '@openclaw-ai/openclawai' is spreading a full RAT #malware disguised as an #OpenClaw installer. It steals browser data, macOS Keychain entries, crypto wallets, MacOS and cloud credentials:
#SoftwareSupplyChainSecurity
👇

BSIMM16 confirms it: AI redefines the AppSec landscape | ReversingLabs AI coding is the new reality — and it will further destabilize software supply chain security. So step up your AppSec.

BSIMM16 reinforces that #AIcoding is the new reality — and it will further destabilize #softwaresupplychainsecurity.
So step up your #AppSec. 👇
www.reversinglabs.com/blog/bsimm16...

2026 BlogAThon 2026 BlogAThon

The 2026 Ortelius BlogAThon is officially started. Whether you’re just starting out or you’ve been in the trenches of #softwaresupplychainsecurity, we want to hear your voice. Submit a blog between April 1st and July 1st to earn a badge. Learn more at: https://cstu.io/814c6b

Trivy security incident 2026-03-01 · aquasecurity/trivy · Discussion #10265 Trivy has been attacked today via GitHub Actions, along with other popular projects: https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation. We believe the vulnerability came f...

#trivy: The GitHub repo of Cloud Security and Supply Chain Security vendor Aqua Security popular vulnerability scanner tool 'trivy' was compromised yesterday via GitHub Actions:
#SoftwareSupplyChainSecurity
👇

Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems Cline CLI 2.3.0 was published with a stolen npm token, installing OpenClaw in an 8-hour attack affecting ~4,000 downloads.

#NPM: If previously attackers hijacked NPM packages to install credential-stealing and data-stealing malware, in this latest hijack of Cline CLI the attackers installed #OpenClaw:
#SoftwareSupplyChainSecurity
👇

HUGE NEWS! 📣

The "father of SBOM," @allanfriedman.bsky.social, is joining Anchore as a Board Advisor!

We sat down with him to discuss the future of #SoftwareSupplyChainSecurity and what comes after SBOM.... anchore.com/blog/anchore-welcomes-sb...

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflow... An emerging npm supply chain attack that infects repos, steals CI secrets, and targets developer AI toolchains for further compromise.

#NPM: New Shai-Hulud–like supply chain worm is actively targeting the npm ecosystem with at least 19 malicious npm packages designed to steal developer & CI/CD secrets & automatically spread across repositories & workflows:
#SoftwareSupplyChainSecurity
👇

socket.dev/blog/sandwor...

Notepad++ hack marks an evolution of supply chain threats | ReversingLabs A months-long compromise of the popular source code editor underscores a diversification of attack methods. Here's why going beyond trust is key.

⛓️ The recent compromise of Notepad++ underscores supply chain attack method diversification. It also serves as a reminder for why going beyond implicit trust is a must: hubs.ly/Q041-Cb30
#SoftwareSupplyChainSecurity #AppSec #DevSecOps

Hackers exploit critical React Native Metro bug to breach dev systems Hackers are targeting developers by exploiting the critical vulnerability CVE-2025-11953 in the Metro server for React Native to deliver malicious payloads for Windows and Linux.

#ReactNative: Critical vulnerability in Metro server for #React Native CVE-2025-11953 allows unauthenticated attackers to execute arbitrary OS commands via a POST request is actively exploited - patch now!
#Metro4Shell
#SoftwareSupplyChainSecurity
👇
www.bleepingcomputer.com/news/securit...

Software Supply Chain Security Report: A 2025 retrospective | ReversingLabs ReversingLabs looked at last year's report in the rear-view mirror. Here's a retrospective with what the team got right -- and wrong.

🪞We looked back on what we predicted the #SoftwareSupplyChainSecurity threat landscape would be in 2025. Here's what we got right — & wrong: https://bit.ly/49UKS19

Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users State-backed attackers hijacked Notepad++ update traffic via a hosting provider breach, redirecting users to malicious downloads since June 2025.

#Notepad++ Official Update Mechanism Was Hijacked to Deliver Malware.

Notepad++ downloads between September 2 - December 2, 2025 were diverted to malicious servers.
#SoftwareSupplyChainSecurity
👇

📣 RL's 4th annual report on the state of #SoftwareSupplyChainSecurity is now available: https://bit.ly/3Fq6F3W

#AppSec #DevSecOps

HUGE NEWS! 📣

The "father of SBOM," @allanfriedman.bsky.social, is joining Anchore as a Board Advisor!

We sat down with him to discuss the future of #SoftwareSupplyChainSecurity and what comes after SBOM.... anchore.com/blog/anchore-welcomes-sb...

Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts A fake sympy-dev package on PyPI impersonates the SymPy library to download and run XMRig cryptominers on Linux using in-memory execution.

#Python : Malicious #PyPI Package called 'sympy-dev' Impersonates #SymPy, Deploys XMRig Miner on Linux Hosts:

#SoftwareSupplyChainSecurity
👇

SSDF 1.2 recognizes AppSec is a journey | ReversingLabs NIST has broadened the Secure Software Development Framework to include the full software development lifecycle. Here's why it matters.

NIST has broadened the Secure Software Development Framework (SSDF) to include the full SDLC. Here's what your #AppSec team needs to know: https://bit.ly/3ZksCbk

#DevSecOps #SoftwareSupplyChainSecurity

📆 Next Thursday: RL researchers break down real-world campaigns uncovered in the closing months of 2025 across NuGet, PyPI, PowerShell & VS Code: https://bit.ly/4sCIh3f

#SoftwareSupplyChainSecurity #Dev #Cybersecurity

How supply chain risk can affect your cyber insurance | ReversingLabs Here's why gaining visibility into supply chain threats -- and adding controls for software risk -- are essential to insurability.

⛓️‍💥 Eligibility for #CyberInsurance could hinge on the strength of #SoftwareSupplyChainSecurity & third-party risk management controls: https://bit.ly/3NmbJu5

#Cybersecurity #DevSecOps

🧵Introducing: 🚨New Feature Alert → a series dedicated to RL product updates! This week, we’re excited to unveil a dedicated #Malware page in the RL-SAFE Report: app.arcade.software/share/H7euVM...

#SoftwareSupplyChainSecurity #DevSecOps

SF² framework aims to help you scale SecOps wisely  | ReversingLabs The Software Factory Security Framework looks at scaling security operations as a resource-allocation problem -- not just head count.

⛓️ The open-source SF² presents security scaling as a strategic resource-allocation challenge rather than a staffing problem. Here's how it helps: https://bit.ly/3YijlQz

#SoftwareSupplyChainSecurity #DevSecOps #CISO

HUGE NEWS! 📣

The "father of SBOM," @allanfriedman.bsky.social, is joining Anchore as a Board Advisor!

We sat down with him to discuss the future of #SoftwareSupplyChainSecurity and what comes after SBOM.... anchore.com/blog/anchore-welcomes-sb...

Leveraging Spectra Assure and EDR to Mitigate Third-Party Software Risk | ReversingLabs Here's how to create a compensating control in Crowdstrike to mitigate specific risks in a commercial software package.

Pairing RL Spectra Assure for #SoftwareSupplyChainSecurity with an #EDR solution like #CrowdStrike Falcon offers robust third-party software risk management.👇 https://bit.ly/48GeONR

Can Frameworks Stop Supply Chain Attacks? | ReversingLabs Professor Laurie Williams and Ph.D. student Sivana Hamer of NC State discuss the effectiveness of software supply chain security frameworks.

⛓️‍💥 Can frameworks stop software supply chain attacks? We ask this in the latest episode of ConversingLabs #podcast: https://bit.ly/3MferkI

#Cybersecurity #SoftwareSupplyChainSecurity #GRC

Why AI and cloud-native are security game-changers | ReversingLabs Existing security practices weren't designed to tackle today's risks, CSA notes in new guide -- making updating tooling essential.

A new guide on #threatmodeling for the cloud in the era of AI has been released by the CSA. It calls out that existing security practices aren't cutting it for the new era: https://bit.ly/447HlJD

#AISecurity #CloudSecurity #SoftwareSupplyChainSecurity