<![CDATA[I don't think people are quite grasping the issue with software supply chain attacks.]]>I don't think people are quite grasping the issue with software supply chain attacks. It's not just a case of compromised built software, it's also the build time. One popular package being compromised means every other package that depends on it is also now potential compromised or soon to be. And the targets can often move across other repos in the same org or account

Basically a slow moving worm today is rapidly accelerating to collapse. Kessler syndrome of software packages.

]]>https://board.circlewithadot.net/topic/adf0edcf-e585-488d-ad8e-a67f074a281e/i-don-t-think-people-are-quite-grasping-the-issue-with-software-supply-chain-attacks.RSS for NodeFri, 15 May 2026 02:42:30 GMTSat, 02 May 2026 02:21:30 GMT60<![CDATA[Reply to I don't think people are quite grasping the issue with software supply chain attacks. on Sat, 02 May 2026 02:48:31 GMT]]>@krishean @xssfox

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/itgrrl/statuses/116502699115471409https://board.circlewithadot.net/post/https://infosec.exchange/users/itgrrl/statuses/116502699115471409Sat, 02 May 2026 02:48:31 GMT<![CDATA[Reply to I don't think people are quite grasping the issue with software supply chain attacks. on Sat, 02 May 2026 02:46:18 GMT]]>@krishean

pros: vendor responsibility
cons: vendor responsibility

]]>https://board.circlewithadot.net/post/https://cloudisland.nz/users/xssfox/statuses/116502690453531890https://board.circlewithadot.net/post/https://cloudisland.nz/users/xssfox/statuses/116502690453531890Sat, 02 May 2026 02:46:18 GMT<![CDATA[Reply to I don't think people are quite grasping the issue with software supply chain attacks. on Sat, 02 May 2026 02:46:03 GMT]]>@xssfox πŸ’―

but also… πŸ‘‡ ✨😜✨

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/itgrrl/statuses/116502689443201308https://board.circlewithadot.net/post/https://infosec.exchange/users/itgrrl/statuses/116502689443201308Sat, 02 May 2026 02:46:03 GMT<![CDATA[Reply to I don't think people are quite grasping the issue with software supply chain attacks. on Sat, 02 May 2026 02:36:28 GMT]]>(btw, most vulnerability scanning software isn't magic, it requires lock files, dpkg files or other data to work out what's installed. If you are using cut down builds, distroless and what not, most of these tools will not work and you cannot truly rely on them)

]]>https://board.circlewithadot.net/post/https://cloudisland.nz/users/xssfox/statuses/116502651748573470https://board.circlewithadot.net/post/https://cloudisland.nz/users/xssfox/statuses/116502651748573470Sat, 02 May 2026 02:36:28 GMT<![CDATA[Reply to I don't think people are quite grasping the issue with software supply chain attacks. on Sat, 02 May 2026 02:31:41 GMT]]>Even if you ci/cd is version pinned/locked to not get owned, did any of your developers pull down the new version while trying to fix an unrelated dependency issue?

What about third party software that vendors in packages?

]]>https://board.circlewithadot.net/post/https://cloudisland.nz/users/xssfox/statuses/116502632931993774https://board.circlewithadot.net/post/https://cloudisland.nz/users/xssfox/statuses/116502632931993774Sat, 02 May 2026 02:31:41 GMT