#supply-chain-security — Public Fediverse posts

We hope you enjoyed @glaubinix talk on the malware filtering features in Composer 2.10 at phpday. Try them out on latest snapshots today. Appreciate early feedback! Proud to sponsor @phpday in Verona, Italy!

Slides at https://glaubinix.github.io/talks/2026-05-15-Composer-2-10-Malware-Filtering.html

#php #phpc #phpday #composerphp #supplychainsecurity #malware

Dear opensource developers,

I added an "adoption" list to the repro-env README, if you publish pre-compiled binaries and you successfully adopted it to allow anyone to reproduce them from source code to prove the absense of a build server compromise, you are very welcome to add yourself to the list. 😺

https://github.com/kpcyrd/repro-env#adoption

#reproducible #reproduciblebuilds #supplychainsecurity #rust

TeamPCP claims it breached Mistral AI while the company confirms impact from the TanStack supply chain attack involving malicious NPM and PyPI packages.

Mistral says there’s currently no evidence of an internal infrastructure breach.

https://www.technadu.com/teampcp-claims-mistral-ai-breach-the-company-announces-being-impacted-by-the-tanstack-supply-chain-attack/627870/

#Cybersecurity #SupplyChainSecurity #AI #Infosec

Debian 14 Forky is mandating bit-for-bit identical builds to stop supply chain attacks. Discover how this shifts trust from servers to auditable source code.

More details here: https://ostechnix.com/debian-linux-reproducible-builds/

#Debian14 #DebianForky #ReproducibleBuilds #Security #Linux #Packages #SupplyChainSecurity

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

Source: https://github.com/eshlox/dvm

macOS only. Small, inspectable, no daemon, no plugin runtime. Feedback and pull requests welcome.

#SupplyChainSecurity #npm #InfoSec #DevSecOps #macOS #Linux #Lima #Bash #Sandbox #AISecurity

Do it today, please. Tell your team. Watch the full 60 seconds.

Video link: https://twp.ai/4hpg2D

#AppSec #SupplyChainSecurity #DevSecOps #SecureCoding #npm
2/2

Open source malicious package detections went from 20,000 a day to 100,000 in twelve months🤯

Aikido Security has been watching and building for exactly this.

Proud to have them as a Gold Sponsor for this year!

https://www.aikido.dev/?utm_source=appsec-village&utm_medium=referral&utm_campaign=appsec-village-sponsorship

#AppSec #SupplyChainSecurity

Do it today, please. Tell your team. Watch the full 60 seconds.

Video link: https://twp.ai/4hpWKl

#AppSec #SupplyChainSecurity #DevSecOps #SecureCoding #npm
2/2

You trust your dependencies? That’s the risk. From #Log4Shell to self-replicating worms, attacks don’t hit your code first — they hit your supply chain, often via packages.

@MohammadAliEN explains what to watch: https://javapro.io/2026/04/23/the-whispering-jar-java-security-lessons-hidden-in-a-fantasy-tale/

#AppSec #Java #SupplyChainSecurity

Do it today, please. Tell your team. Watch the full 60 seconds.

Video link: https://twp.ai/E5Aq2o

#AppSec #SupplyChainSecurity #DevSecOps #SecureCoding #npm
2/2

Palantir Technologies secures $300 million USDA contract to enhance U.S. farmland management and food security amid global supply chain threats and growing concerns over foreign agricultural land acquisitions, marking the company's expansion beyond defense sector into civilian government agencies.
#YonhapInfomax #PalantirTechnologies #USDA #FoodSecurity #FarmlandManagement #SupplyChainSecurity #Economics #FinancialMarkets #Banking #Securities #Bonds #StockMarket
https://en.infomaxai.com/news/articleView.html?idxno=117058

🚨 Emergency DevSec Station drop.
There's an active npm supply chain attack happening right now. Compromised packages are stealing SSH keys, AWS credentials, GitHub tokens, browser passwords, and crypto wallets on install. Then using your publish token to infect every package you maintain.
One command can protect you immediately: npm config set ignore-scripts true
Do it today, please. Tell your team. Watch the full 60 seconds.
#AppSec #SupplyChainSecurity #DevSecOps #SecureCoding #npm

New article: Using Forgejo git mirrors and Nix flakes to build security-critical software from self-hosted, pinned sources.

With over 454,000 malicious packages identified in 2025, self-replicating npm worms, and AI-powered attack campaigns, supply chain security is no longer an option for self-hosters.

The post outlines an approach that effectively mitigates risks and highlights its limitations.

https://blog.networld.to/git-mirrors-and-nix-flakes-a-practical-approach-to-supply-chain-security/

#NixOS #Forgejo #SupplyChainSecurity #SelfHosting #InfoSec

I'm on Fallthrough: Supply Chain Reaction

https://fed.brid.gy/r/https://www.jvt.me/posts/2026/04/18/fallthrough-supply-chain/