Appendix f

Appendix F: Major Supply Chain Incident Timeline¶

This appendix provides a chronological reference of significant software supply chain incidents that have shaped our understanding of supply chain security risks. Each entry documents what happened, the scope of impact, key lessons learned, and sources for further investigation. These incidents span four decades, demonstrating both the evolution of attack techniques and the persistent nature of supply chain vulnerabilities.

Disclaimer on Incident Information: All incident descriptions in this appendix are based on publicly available information, security research reports, and official disclosures as of the publication date (January 2026). Details about security incidents may be:

• Incomplete due to ongoing investigations or undisclosed information
• Subject to interpretation based on available evidence
• Disputed by organizations or individuals mentioned
• Updated as new information emerges after publication

Attribution statements (e.g., "attributed to [threat actor]") reflect assessments by security researchers, government agencies, or industry analysts based on available indicators. Such attributions represent informed professional judgment rather than legal findings or definitive proof.

Organizations and individuals mentioned are referenced for educational purposes to document publicly reported incidents. Such references do not constitute accusations, legal findings, or claims of wrongdoing beyond what has been publicly reported and documented in cited sources.

Readers should consult cited sources for the most current information and official statements from involved parties.

1984¶

Reflections on Trusting Trust¶

Date: October 1984

Summary: Ken Thompson delivered his Turing Award lecture "Reflections on Trusting Trust," demonstrating how a compiler could be modified to insert a backdoor into any program it compiles—including future versions of the compiler itself. Thompson showed that even if you inspect source code and find it clean, you cannot trust the compiled binary unless you trust the entire toolchain that produced it.

Impact Scope: Conceptual/theoretical demonstration affecting all compiled software

Key Lessons:

• Trust in software must extend to the entire build toolchain, not just source code
• Self-replicating backdoors can persist across compiler generations without appearing in source
• Binary verification and reproducible builds are essential for establishing trust
• The "trusting trust" problem remains fundamentally unsolved for most software

Sources:

• Thompson, K., "Reflections on Trusting Trust," Communications of the ACM, 1984¹

2008¶

Debian OpenSSL Weak Key Generation (CVE-2008-0166)¶

Date: May 13, 2008 (disclosed)

Summary: A Debian maintainer inadvertently removed critical entropy-gathering code from OpenSSL in 2006 while addressing a Valgrind warning. This reduced the randomness of generated cryptographic keys to approximately 32,767 possible values per architecture and key size. The vulnerability persisted undetected for nearly two years in Debian and derivative distributions including Ubuntu.

Impact Scope: All cryptographic keys generated on affected Debian-based systems from September 2006 to May 2008, including SSH keys, SSL certificates, and OpenVPN keys

Key Lessons:

• Security-critical code changes require expert review, even for seemingly minor modifications
• Upstream maintainers and downstream packagers must communicate effectively about changes
• Cryptographic code is especially sensitive—warnings may indicate security features, not bugs
• Long detection times for subtle vulnerabilities highlight the need for security auditing

Sources:

• Debian Security Advisory DSA-1571-1²
• CVE-2008-0166³
• Schneier, B., "Random Number Bug in Debian Linux," 2008⁴

2014¶

Heartbleed (CVE-2014-0160)¶

Date: April 7, 2014 (disclosed)

Summary: A buffer over-read vulnerability in OpenSSL's implementation of the TLS heartbeat extension allowed attackers to read up to 64KB of server memory per request, potentially exposing private keys, session tokens, passwords, and other sensitive data. The bug was introduced in December 2011 and affected OpenSSL versions 1.0.1 through 1.0.1f.

Impact Scope: Estimated 17% of internet SSL servers (approximately 500,000 servers) at time of disclosure; affected major services including Yahoo, Imgur, and numerous others

Key Lessons:

• Critical infrastructure software often lacks adequate funding and maintainer resources
• Memory-unsafe languages (C) in security-critical code present persistent risks
• Widespread dependencies on single implementations create systemic vulnerability
• Led directly to formation of the Core Infrastructure Initiative (now OpenSSF)

Sources:

• Heartbleed.com⁵
• CVE-2014-0160⁶
• Durumeric, Z., et al., "The Matter of Heartbleed," IMC 2014⁷

2016¶

left-pad Incident¶

Date: March 22, 2016

Summary: Developer Azer Koculu unpublished 273 NPM packages, including the 11-line left-pad utility, following a trademark dispute with messaging app Kik. Because left-pad was a dependency of Babel, React, and thousands of other projects, builds worldwide began failing immediately. NPM took the unprecedented step of un-unpublishing the package to restore service.

Impact Scope: Thousands of JavaScript projects experienced build failures; major frameworks including React and Babel were affected; incident lasted approximately 2.5 hours before NPM intervention

Key Lessons:

• Micro-dependencies create fragile dependency chains
• Package registries need policies governing package removal
• Build systems should not assume package availability
• Dependency vendoring and lock files provide resilience against upstream changes

Sources:

• Koculu, A., "I've Just Liberated My Modules," 2016⁸
• Williams, C., "How one developer just broke Node, Babel and thousands of projects," The Register, 2016⁹
• NPM Blog, "kik, left-pad, and npm," 2016¹⁰

2018¶

event-stream Compromise¶

Date: November 26, 2018 (disclosed)

Summary: A malicious actor gained maintainership of the popular event-stream NPM package through social engineering, then added a dependency on flatmap-stream containing obfuscated code targeting the Copay Bitcoin wallet. The attack specifically extracted private keys from Copay wallet users. The original maintainer had transferred control after the attacker offered to help maintain the project.

Impact Scope: event-stream had approximately 2 million weekly downloads; the malicious payload specifically targeted Copay wallet versions 5.0.2 through 5.1.0

Key Lessons:

• Maintainer succession requires careful vetting and trust establishment
• Transitive dependencies can introduce malicious code without direct project changes
• Targeted attacks may hide within broadly-used packages
• Package consumers should monitor for unexpected dependency additions

Sources:

• GitHub Issue #116, "I don't know what to say," dominictarr/event-stream¹¹
• Snyk, "Malicious code found in npm package event-stream," 2018¹²
• NPM Security Advisory¹³

2020¶

SolarWinds SUNBURST Attack¶

Date: December 13, 2020 (disclosed); attack began March 2020

Summary: Nation-state actors (attributed to Russian SVR) compromised SolarWinds' Orion software build system, inserting the SUNBURST backdoor into updates distributed to approximately 18,000 organizations. The malware remained dormant for two weeks after installation before beaconing to attacker-controlled infrastructure. The attack was discovered by FireEye after noticing anomalous activity in their own environment.

Impact Scope: Approximately 18,000 organizations installed the compromised update; confirmed breaches at multiple U.S. government agencies (Treasury, Commerce, Homeland Security, State Department, and others), Microsoft, FireEye, and numerous Fortune 500 companies

Key Lessons:

• Build system security is as critical as source code security
• Software signing alone does not guarantee integrity—the build process must be secured
• Sophisticated attackers target widely-deployed management software for maximum reach
• Detection of supply chain compromises requires behavioral analysis beyond signature matching
• Led to Executive Order 14028 mandating SBOM adoption for federal software procurement

Sources:

• CISA, "Advanced Persistent Threat Compromise of Government Agencies," Alert AA20-352A¹⁴
• FireEye, "Highly Evasive Attacker Leverages SolarWinds Supply Chain," 2020¹⁵
• Microsoft, "Analyzing Solorigate," 2020¹⁶

2021¶

Codecov Bash Uploader Compromise¶

Date: April 1, 2021 (disclosed); attack began January 31, 2021

Summary: Attackers exploited a vulnerability in Codecov's Docker image creation process to modify the Bash Uploader script, adding code that exfiltrated environment variables (including CI/CD secrets, API tokens, and credentials) from customer build environments to an attacker-controlled server. The compromise persisted for over two months before detection.

Impact Scope: Approximately 29,000 customers potentially affected; confirmed secondary breaches at Twitch, HashiCorp, and others whose secrets were exfiltrated

Key Lessons:

• CI/CD environments contain high-value secrets requiring protection
• Scripts fetched and executed during builds are attack vectors
• Supply chain attacks can cascade—compromised credentials enable secondary attacks
• Integrity verification (checksums, signatures) should be mandatory for build-time dependencies

Sources:

• Codecov, "Bash Uploader Security Update," 2021¹⁷
• HashiCorp, "Codecov Security Event Impact," 2021¹⁸
• Reuters, "Codecov hackers breached hundreds of networks," 2021¹⁹

ua-parser-js Hijacking¶

Date: October 22, 2021

Summary: Attackers compromised the NPM account of the ua-parser-js maintainer and published three malicious versions (0.7.29, 0.8.0, 1.0.0) containing cryptocurrency miners and password-stealing trojans. The package, used for parsing browser user-agent strings, had approximately 8 million weekly downloads. The compromise was detected and removed within hours.

Impact Scope: Approximately 8 million weekly downloads; malicious versions available for approximately 4 hours; CISA issued alert regarding potential federal agency exposure

Key Lessons:

• High-download packages are attractive targets for account takeover
• Multi-factor authentication on package registry accounts is essential
• Rapid detection and response capabilities are critical for package registries
• Even brief windows of compromise can affect millions of downstream users

Sources:

• GitHub Advisory GHSA-pjwm-rvh2-c87w²⁰
• CISA, "MAR-10354752-1.v1," 2021²¹
• Bleeping Computer, "Popular npm library hijacked," 2021²²

Log4Shell (CVE-2021-44228)¶

Date: December 9, 2021 (disclosed)

Summary: A critical remote code execution vulnerability was discovered in Apache Log4j 2, a ubiquitous Java logging library. The flaw allowed attackers to execute arbitrary code by submitting specially crafted strings that triggered JNDI lookups to attacker-controlled servers. Due to Log4j's prevalence across enterprise software, cloud services, and embedded systems, the vulnerability was described as one of the most severe in internet history.

Impact Scope: Estimated hundreds of millions of affected devices; exploited within hours of disclosure; affected services included Apple iCloud, Amazon AWS, Cloudflare, Steam, Minecraft, and countless enterprise applications

Key Lessons:

• Ubiquitous dependencies create systemic risk across the software ecosystem
• Many organizations lack visibility into their transitive dependencies
• Vulnerability disclosure in widely-used libraries requires coordinated response
• SBOM adoption is essential for rapid vulnerability identification and response
• Feature-rich libraries may contain unexpected attack surface (JNDI lookup feature)

Sources:

• Apache Log4j Security Vulnerabilities²³
• CVE-2021-44228²⁴
• CISA, "Apache Log4j Vulnerability Guidance," 2021²⁵
• Swiss Government NCSC, "Log4j Analysis," 2021²⁶

2022¶

colors.js and faker.js Sabotage (Protestware)¶

Date: January 8, 2022

Summary: The maintainer of colors.js and faker.js, Marak Squires, deliberately corrupted both packages in protest of large corporations using open source without adequate compensation. The colors.js update introduced an infinite loop printing "LIBERTY LIBERTY LIBERTY" along with ANSI art, while faker.js was emptied entirely. The packages had a combined weekly download count exceeding 25 million.

Impact Scope: Approximately 19,000 projects depended on colors.js; Amazon AWS Cloud Development Kit (CDK) builds were disrupted; faker.js was subsequently forked as @faker-js/faker with new maintainers

Key Lessons:

• Open source sustainability and maintainer burnout create security risks
• Single-maintainer projects represent single points of failure
• Package registries should consider policies for detecting and responding to self-sabotage
• Dependency pinning and lock files provide protection against malicious updates
• Community forks can provide continuity when original projects are compromised

Sources:

• Bleeping Computer, "Dev corrupts npm libs 'colors' and 'faker'," 2022²⁷
• GitHub Issue, colors.js #317²⁸
• The Verge, "Open source developer corrupts widely-used libraries," 2022²⁹

node-ipc Protestware (CVE-2022-23812)¶

Date: March 15, 2022 (disclosed)

Summary: The maintainer of node-ipc, a popular inter-process communication library, added code that detected Russian and Belarusian IP addresses and overwrote files on affected systems with heart emojis, in protest of Russia's invasion of Ukraine. Earlier versions contained more destructive code. The package had approximately 1 million weekly downloads and was a dependency of the Vue.js CLI.

Impact Scope: Approximately 1 million weekly downloads; Vue.js CLI users potentially affected; systems with Russian or Belarusian IP addresses experienced data destruction

Key Lessons:

• "Protestware" represents a distinct threat category where trusted maintainers weaponize their access
• Geopolitical events can motivate software supply chain attacks
• Even well-intentioned political actions in software cause collateral damage
• Automated behavioral analysis could detect unexpected file system operations
• Package registry policies must address intentional sabotage by maintainers

Sources:

• Snyk, "Protestware: Open Source Malware," 2022³⁰
• CVE-2022-23812³¹
• Snyk, "node-ipc protestware analysis," 2022³²

PyTorch Dependency Confusion (torchtriton)¶

Date: December 2022

Summary: A malicious PyPI package named torchtriton exploited dependency confusion to target internal PyTorch build systems. The package executed during installation and attempted to exfiltrate environment data.

Impact Scope: Limited external exposure; internal systems targeted

Key Lessons:

• Dependency confusion remains viable years after disclosure
• Internal package namespaces require defensive registration
• ML tooling pipelines are high-value targets

Sources:

• PyTorch Security Advisory, December 2022³³
• Checkmarx, "PyTorch Dependency Confusion," 2023³⁴

2023¶

3CX Supply Chain Attack¶

Date: March 29, 2023 (disclosed)

Summary: The 3CX desktop application, a voice and video conferencing client used by over 600,000 organizations, was compromised through a cascading supply chain attack. Attackers first compromised X_TRADER, a trading software application from Trading Technologies, then used credentials from a 3CX employee who had installed the compromised X_TRADER to access 3CX's build environment. The attack was attributed to North Korean threat actors (Lazarus Group).

Impact Scope: Approximately 600,000 customer organizations; 12 million daily users; both Windows and macOS versions were compromised; secondary payload targeted cryptocurrency companies

Key Lessons:

• Supply chain attacks can cascade—one compromise enables the next
• Employee workstations with development access require heightened security
• Nation-state actors invest in long-term, multi-stage supply chain operations
• Build environment isolation and integrity verification are essential
• Detection requires correlation across multiple vendors and time periods

Sources:

• CrowdStrike, "3CXDesktopApp Supply Chain Attack," 2023³⁵
• Mandiant, "3CX Supply Chain Compromise," 2023³⁶
• 3CX Security Advisory³⁷

GitHub Dependabot Account Compromise Attempts¶

Date: Ongoing 2023

Summary: Multiple campaigns attempted to exploit Dependabot PR workflows to introduce malicious dependency updates, relying on automated merging or insufficient review.

Impact Scope: No confirmed large-scale compromise, but repeated near-misses across major repositories

Key Lessons:

• Automation amplifies both defense and risk
• Dependency update bots require strict policy controls
• "Near misses" should be treated as incidents for learning

npm eslint-scope / @eslint Ecosystem Confusion Attempt¶

Date: Mid-2023

Summary: Attackers attempted to exploit namespace trust around ESLint-related packages using lookalike names and social engineering, though widespread compromise was avoided.

Key Lessons:

• Trusted namespaces create implicit trust
• Visual similarity attacks bypass human review
• Namespace governance is a security control

Ledger Connect Kit Compromise¶

Date: December 14, 2023

Summary: Attackers compromised a former Ledger employee's NPMJS account through a phishing attack and published malicious versions (1.1.5–1.1.7) of the Ledger Connect Kit, a JavaScript library used by decentralized applications (dApps) to connect to Ledger hardware wallets. The malicious code contained a wallet drainer that redirected cryptocurrency transactions to attacker-controlled addresses.

Impact Scope: Over 100 cryptocurrency projects potentially affected; confirmed losses exceeded $600,000; attack window was approximately 5 hours before detection and takedown

Key Lessons:

• Former employee accounts should be promptly deactivated
• Cryptocurrency and financial software are high-value targets
• NPM account security (MFA, access controls) is critical for sensitive packages
• Real-time monitoring for package modifications can reduce attack windows
• End-user impact can be immediate and financially devastating

Sources:

• Ledger, "Security Incident Report," 2023³⁸
• Blockaid, "Ledger Connect Kit Incident Analysis," 2023³⁹
• CoinDesk, "Ledger Library Compromised," 2023⁴⁰

2024¶

BIPClip PyPI Campaign¶

Date: March 12, 2024

Summary: ReversingLabs researchers exposed BIPClip, a malicious PyPI campaign targeting developers working on cryptocurrency wallet projects. The packages posed as open-source libraries to steal BIP39 mnemonic phrases—the recovery passwords used to restore cryptocurrency wallets. The campaign specifically targeted the intersection of cryptocurrency and open source development.

Impact Scope: Developers working on cryptocurrency wallet recovery; potential theft of wallet recovery credentials

Key Lessons:

• Cryptocurrency developers are high-value targets for supply chain attacks
• Attackers research specific developer workflows to craft targeted packages
• Package names may reference legitimate cryptographic standards (BIP39) to appear authentic
• Code review must scrutinize packages handling sensitive cryptographic material

Sources:

• Karlo Zanki, "BIPClip: Malicious PyPI packages target crypto wallet recovery passwords," ReversingLabs, March 12, 2024⁴¹

XZ Utils Backdoor (CVE-2024-3094)¶

Date: March 29, 2024 (disclosed)

Summary: A sophisticated backdoor was discovered in XZ Utils versions 5.6.0 and 5.6.1, a widely-used compression library included in most Linux distributions. The attacker, operating under the pseudonym "Jia Tan," spent approximately two years building trust within the project before inserting obfuscated malicious code that enabled remote code execution for attackers possessing a specific Ed448 private key. The backdoor specifically targeted OpenSSH servers through systemd integration. The compromise was discovered accidentally by Andres Freund, a Microsoft engineer, who noticed SSH authentication was taking 500ms longer than expected.

Impact Scope: Multiple Linux distributions (Fedora 40/41 Rawhide, Debian testing/unstable, openSUSE Tumbleweed, Arch Linux, Kali Linux) included or nearly included the compromised versions; the backdoor would have provided remote root access to affected systems

Key Lessons:

• Social engineering attacks against maintainers can span years
• Open source projects face pressure to accept "helpful" contributors
• Upstream dependencies in foundational libraries pose systemic risk
• Performance anomalies can indicate security issues—observability matters
• Binary artifacts in repositories merit heightened scrutiny
• Reproducible builds could have detected the discrepancy between source and binary

Sources:

• Freund, A., "Backdoor in upstream xz/liblzma," oss-security mailing list, 2024⁴²
• CVE-2024-3094⁴³
• CISA Alert, "XZ Utils Backdoor," 2024⁴⁴
• Arstechnica, "What we know about the xz Utils backdoor," 2024⁴⁵

VS Code Extension Marketplace Malware Campaigns¶

Date: 2024 (multiple waves)

Summary: Multiple malicious extensions were identified in the Visual Studio Code Marketplace, including extensions that harvested credentials, opened reverse shells, or downloaded second-stage payloads. Some impersonated popular AI or developer tooling extensions.

Impact Scope: Hundreds of thousands of installs before takedown

Key Lessons:

• IDEs are part of the software supply chain
• Extension ecosystems mirror package registries in risk profile
• Developer workstations are high-value targets

GitHub Release Asset Replacement Attacks¶

Date: 2024

Summary: Researchers identified cases where attackers compromised repositories and replaced GitHub release binaries without modifying source code, exploiting the fact that many users download prebuilt artifacts directly.

Impact Scope: Limited but high-impact for affected projects

Key Lessons:

• Release artifacts require the same integrity guarantees as source
• Reproducible builds matter beyond theory
• "Source available" does not mean "binary trustworthy"

Polyfill.io Supply Chain Attack¶

Date: June 25, 2024 (disclosed)

Summary: The domain polyfill.io, which provided a popular JavaScript polyfill service used by over 100,000 websites, was sold to a Chinese company (Funnull) that subsequently modified the code to inject malicious redirects and malware. The service had been embedded in websites via CDN script tags, meaning the new owners could serve arbitrary JavaScript to all sites using the service. Google began blocking ads for sites using polyfill.io.

Impact Scope: Over 100,000 websites affected including major sites; Namecheap suspended the domain; Cloudflare and Fastly created automatic redirects to safe mirrors

Key Lessons:

• Third-party CDN dependencies create single points of compromise
• Domain/service ownership transfers can weaponize previously trusted resources
• Self-hosting or using Subresource Integrity (SRI) provides protection
• Long-term trust relationships with services require ongoing verification
• CDN providers should implement domain change monitoring

Sources:

• Sansec, "Polyfill.io supply chain attack," 2024⁴⁶
• Cloudflare Blog, "Polyfill.io automatic replacement," 2024⁴⁷
• Google Ads Policy Update, June 2024⁴⁸

Justice AV Solutions (JAVS) Compromise¶

Date: May 23, 2024 (disclosed); attack began April 2024

Summary: Attackers compromised the Justice AV Solutions video-recording software installer, used in courtrooms, legal offices, correctional facilities, and government agencies worldwide. The attack involved repackaging the legitimate installer with a malicious executable (fffmpeg.exe—a typosquat on the legitimate ffmpeg.exe) containing the RustDoor/GateDoor malware. The malware collected credentials and disabled security measures including AMSI and ETW. The installer was signed with a certificate issued to "Vanguard Tech Limited" rather than JAVS, suggesting attackers compromised distribution infrastructure rather than the build environment.

Impact Scope: Courtrooms, prisons, police stations, and other justice system organizations worldwide; linked to ShadowSyndicate ransomware-as-a-service group

Key Lessons:

• Commercial software binaries require verification before deployment, not blind trust
• Typosquatting techniques apply within installers, not just package registries
• Certificate signing alone is insufficient—the signing entity must be verified
• Differential analysis can detect tampering indicators before deployment
• Distribution infrastructure is as critical to secure as build environments

Sources:

• ReversingLabs, "The 2025 Software Supply Chain Security Report," 2025⁴⁹
• Rapid7, "CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software," May 2024⁵⁰
• BleepingComputer, "JAVS courtroom recording software backdoored in supply chain attack," May 2024⁵¹

Shai Hulud GitHub Actions Campaign¶

Date: September-November 2025 (disclosed September 18, 2025)

Summary: The Shai Hulud campaign exploited misconfigured GitHub Actions workflows to compromise npm package publishing credentials across major open source projects. Attackers identified repositories using dangerous workflow triggers like pull_request_target and submitted malicious pull requests that executed in the context of the target repository with access to secrets. The campaign targeted high-profile projects including AsyncAPI, PostHog, Postman, Zapier, and ENS Domains.

Impact Scope: Major projects compromised; npm publishing tokens stolen; malicious packages published to npm registry; attacks continued spreading to new organizations hourly during the active campaign period

Key Lessons:

• GitHub Actions workflow configurations are critical attack surface
• pull_request_target and workflow_run triggers enable code from forks to access secrets
• CI/CD misconfigurations can serve as "patient zero" for cascading supply chain attacks
• Traditional PR-scanning tools failed to detect vulnerable workflow configurations
• Manual npm package uploads from "codespace" and "runner" usernames indicate CI exploitation
• Organizations must implement security scanning specifically for CI/CD configurations

Sources:

• Aikido Security, "Shai Hulud GitHub Actions Incident," 2025⁵²
• Unit 42, "GitHub Actions Supply Chain Attack," 2025⁵³

@lottiefiles/lottie-player Malware¶

Date: November 21, 2024

Summary: Three versions of the npm package @lottiefiles/lottie-player were found infected with malware designed to steal cryptocurrency wallet assets. The package, used for animation playback, was compromised to target users' cryptocurrency holdings.

Impact Scope: Users of Lottie animation library; cryptocurrency wallet theft

Key Lessons:

• Seemingly unrelated packages (animation libraries) can be weaponized for financial theft
• Cryptocurrency theft code can be injected into any popular package
• Version pinning and integrity verification protect against mid-stream compromise

Sources:

• ReversingLabs, "The 2025 Software Supply Chain Security Report," 2025⁵⁴

aiocpa Legitimate-to-Malicious Package Flip¶

Date: November 28, 2024 (disclosed)

Summary: ReversingLabs detected malicious code in the Python package aiocpa, which had been originally engineered as a legitimate cryptocurrency payment client. The package attracted a legitimate user base before a subsequent update compromised cryptocurrency wallets using the client. This represents an evolution in attack sophistication—rather than typosquatting or hijacking, attackers invested time creating genuinely useful software to build trust before weaponization.

Impact Scope: Users of the aiocpa cryptocurrency client; cryptocurrency wallet compromise

Key Lessons:

• Attackers are investing in long-term operations, creating legitimate packages before flipping
• Package age and functionality do not guarantee safety—ongoing monitoring is essential
• Cryptocurrency-focused packages warrant heightened scrutiny regardless of apparent legitimacy
• Behavioral analysis must detect changes in package behavior across versions

Sources:

• Karlo Zanki, "Malicious PyPI crypto pay package aiocpa implants infostealer code," ReversingLabs, November 28, 2024⁵⁵

@solana/web3.js Compromise¶

Date: December 5, 2024

Summary: Attackers compromised the npm package @solana/web3.js, a JavaScript API for the Solana blockchain platform, implanting malicious functions in two package versions. The compromise occurred through a stolen maintainer account with publishing privileges. The package ranks among the top 10,000 projects in the npm community with more than 3,000 dependent projects and 400,000 weekly downloads.

Impact Scope: 400,000 weekly downloads; 3,000 dependent projects; Solana blockchain ecosystem

Key Lessons:

• High-profile packages with extensive dependency chains are priority targets
• Compromised maintainer credentials enable direct package modification without build system compromise
• Even packages from well-funded blockchain foundations require continuous monitoring
• Downstream impact scales with dependency count and download volume

Sources:

• Paul Roberts, "Malware found in Solana npm library raises the bar for crypto security," ReversingLabs, December 5, 2024⁵⁶

Ultralytics Build Environment Compromise¶

Date: December 9, 2024

Summary: Attackers compromised the popular AI library Ultralytics by exploiting a previously reported GitHub Actions script injection vulnerability. The attack compromised the build environment and injected malicious code after the code review process completed, resulting in malicious updates pushed to a library with close to 60 million downloads. The injected code downloaded the XMRig cryptocurrency miner.

Impact Scope: Nearly 60 million downloads; AI/ML development community; cryptocurrency mining on compromised systems

Key Lessons:

• GitHub Actions workflow vulnerabilities can compromise build environments
• Code review is insufficient when attacks occur after the review stage
• AI/ML libraries are increasingly targeted supply chain attack vectors
• Known vulnerabilities in CI/CD configurations require immediate remediation

Sources:

• Karlo Zanki, "Compromised ultralytics PyPI package delivers crypto coinminer," ReversingLabs, December 9, 2024⁵⁷

rspack and vant Cryptomining Compromise¶

Date: December 20, 2024

Summary: The npm packages rspack (a Rust-based JavaScript bundler) and vant (a Vue.js mobile UI component library) were compromised with cryptomining malware. The attacks demonstrated continued targeting of developer tools and popular UI frameworks.

Impact Scope: Users of rspack build tool and vant UI framework; cryptomining on affected systems

Key Lessons:

• Build tools represent high-value targets—they execute in privileged environments
• UI component frameworks with many dependents amplify attack impact
• Cryptomining payloads provide attackers immediate monetization

Sources:

• ReversingLabs, "The 2025 Software Supply Chain Security Report," 2025⁵⁸

PyPI Typosquatting Campaign¶

Date: Ongoing throughout 2024

Summary: Multiple coordinated campaigns uploaded hundreds of malicious packages to PyPI using typosquatting techniques, targeting popular packages like requests, beautifulsoup4, and tensorflow. These packages contained credential stealers, cryptocurrency miners, and backdoors. While individual packages were removed quickly, the campaigns demonstrated the ongoing challenge of preventing malicious package uploads at scale.

Impact Scope: Hundreds of malicious packages; thousands of downloads before detection; primarily affected developers who mistyped package names during installation

Key Lessons:

• Typosquatting remains an effective attack vector at scale
• Automated detection can identify but not prevent all malicious uploads
• Developer education about verification before installation is essential
• Package managers should implement proactive typosquatting detection
• Corporate environments benefit from curated internal package repositories

Sources:

• Phylum Research, "PyPI Typosquatting," 2024⁵⁹
• PyPI Security Reports, 2024⁶⁰
• Checkmarx Supply Chain Security Research, 2024⁶¹

2025¶

nullifAI Hugging Face Attack¶

Date: February 6, 2025

Summary: ReversingLabs researchers discovered a malicious technique dubbed "nullifAI" where attackers placed malicious code in Pickle serialization files while evading protections built into the Hugging Face open-source AI/ML platform. When users loaded the apparently benign ML models, the Pickle format serialization files executed malicious code on their systems. The attack exploited the inherently unsafe nature of Python's Pickle format, which allows embedded code execution during deserialization.

Impact Scope: Users of Hugging Face platform loading malicious ML models; demonstrates broader AI/ML supply chain vulnerability

Key Lessons:

• Python Pickle files are "inherently unsafe" and require the same scrutiny as executable code
• AI/ML model distribution represents a distinct supply chain attack surface
• Platform-level protections can be evaded through format-specific vulnerabilities
• Serialized ML models must be vetted with the same rigor as software packages

Sources:

• Karlo Zanki, "Malicious ML models discovered on Hugging Face platform," ReversingLabs, February 6, 2025⁶²

IPany VPN Supply Chain Attack¶

Date: January 22, 2025

Summary: The South Korean VPN client IPany was breached in a supply chain attack that pushed custom malware to users. The compromise demonstrated continued targeting of VPN and security software—products that users trust implicitly and that often run with elevated privileges.

Impact Scope: IPany VPN users in South Korea and globally

Key Lessons:

• Security software (VPNs, antivirus, endpoint protection) represents high-value supply chain targets
• Regional software may be targeted for geopolitical or strategic access
• Commercial security binaries require the same verification as any other software

Sources:

• Bill Toulas, "IPany VPN breached in supply-chain attack to push custom malware," BleepingComputer, January 22, 2025⁶³

GitHub Action tj-actions/changed-files Compromise (CVE-2025-30066)¶

Date: March 2025

Summary: Attackers exploited a high-severity vulnerability (CVE-2025-30066) to modify the code of the popular tj-actions/changed-files GitHub Action. By updating version tags to reference a malicious commit, the attackers caused CI/CD secrets to be leaked into public build logs across thousands of projects that relied on the action. This attack demonstrated the risks of trusting mutable version tags in GitHub Actions.

Impact Scope: Thousands of projects using the action; CI/CD secrets exposed in public build logs

Key Lessons:

• GitHub Actions version tags are mutable and can be redirected to malicious commits
• Organizations should pin GitHub Actions to specific commit SHAs, not version tags
• CI/CD secrets in build logs represent a significant exposure risk
• Popular Actions become high-value targets due to their wide adoption

Sources:

• Silobreaker, "Supply Chain Attacks in 2025: A Month-by-Month Summary," 2025⁶⁴

Erlang/OTP SSH Zero-Day (CVE-2025-32433)¶

Date: April 2025

Summary: A CVSS 10.0 vulnerability was discovered in the Erlang/OTP SSH daemon, a foundational technology for telecommunications (Ericsson) and messaging (WhatsApp). The flaw allowed for pre-authentication remote code execution, meaning attackers could take full control of a system before any login occurred by sending specially crafted SSH protocol messages. This vulnerability highlighted the systemic risk posed by flaws in foundational libraries that underpin critical infrastructure.

Impact Scope: Telecommunications infrastructure, messaging platforms including WhatsApp, any system using Erlang/OTP SSH daemon

Key Lessons:

• Foundational libraries in critical infrastructure pose systemic risk when compromised
• Pre-authentication vulnerabilities are particularly dangerous as they bypass all access controls
• Telecommunications and messaging infrastructure share common dependencies
• CVSS 10.0 vulnerabilities in widely-deployed components require emergency response

Sources:

• Unit 42, "Vulnerability Analysis CVE-2025-32433," 2025⁶⁵

Notepad++ Update Hijacking¶

Date: June 2025 (infrastructure compromised); July-October 2025 (active infection campaigns); December 2025 (full remediation); February 2026 (disclosure)

Summary: Attackers attributed to the Chinese APT group Lotus Blossom/Spring Dragon (attribution by Kaspersky) compromised the shared hosting provider used by Notepad++ to hijack update traffic. Rather than compromising the build system, attackers intercepted requests to the legitimate update endpoint and selectively redirected targeted victims to malicious update servers while legitimate users received normal updates. The attack employed three distinct infection chains over several months: a ProShow vulnerability exploit delivering Cobalt Strike, Lua interpreter abuse for payload delivery, and DLL sideloading with the Chrysalis backdoor. The selective targeting made detection difficult, and the attack persisted for approximately five months before discovery and remediation.

Impact Scope: Targeted victims including government organizations (Philippines), financial institutions (El Salvador), and IT service providers (Vietnam); approximately a dozen confirmed infections representing a state-sponsored espionage operation—a small number that likely belies significant intelligence value, comparable to how SolarWinds actively exploited roughly 100 of its 18,000 infected organizations

Key Lessons:

• Infrastructure dependencies (hosting providers, CDNs) are part of the supply chain attack surface
• Signature verification must confirm the expected publisher, not just certificate validity—Notepad++'s updater (WinGUp) verified that a valid certificate existed but did not verify it belonged to the expected publisher
• Signed update manifests (e.g., XMLDSig) can prevent tampering even when traffic is redirected, though comprehensive frameworks like TUF⁶⁹ provide broader protections
• Selective targeting allows attackers to evade broad security monitoring
• User reports of unusual network connections (e.g., to temp.sh) can provide early detection signals—organizations should formalize channels for reporting anomalous software behavior

Sources:

• Kaspersky Securelist, "A Supply Chain Attack on Notepad++," February 2, 2026⁶⁶
• Notepad++, "Hijacked Incident Info Update," February 2, 2026⁶⁷
• Notepad++, "v8.8.9 Released," December 9, 2025⁶⁸
• NVD, CVE-2025-15556 (CWE-494, CVSS 7.5): Missing cryptographic verification in WinGUp updater⁸⁰
• CISA KEV catalog: CVE-2025-15556 added February 12, 2026; federal remediation due March 5, 2026⁸¹

PhantomRaven npm Campaign¶

Date: August 2025

Summary: The PhantomRaven campaign utilized 126 malicious npm packages to target global developers. Unlike previous "shotgun" approaches, this was a highly targeted campaign designed specifically to steal npm tokens and GitHub credentials to facilitate further supply chain pivots into corporate private repositories. The campaign demonstrated increasing sophistication in how attackers leverage initial compromises to achieve broader access.

Impact Scope: Developers globally; npm tokens and GitHub credentials stolen; potential for cascading attacks into private repositories

Key Lessons:

• Attackers are shifting from broad attacks to targeted credential harvesting
• Stolen npm/GitHub tokens enable pivoting into private corporate repositories
• Supply chain attacks increasingly serve as initial access for deeper compromises
• Credential rotation and token monitoring are essential defenses

Sources:

• Socket.dev, "npm Malware Campaign PhantomRaven," 2025⁷⁰

Shai-Hulud npm Worm¶

Date: September 2025 (initial); November 2025 (Shai-Hulud 2.0)

Summary: Researchers discovered a self-replicating malware campaign dubbed "Shai-Hulud" targeting the npm ecosystem. The attack began with phishing campaigns spoofing npm 2FA update notifications to harvest maintainer credentials. Once attackers gained access to a maintainer account, the worm automatically trojanized that developer's packages by modifying package.json files and republishing them. It successfully compromised over 500 packages in the initial wave, focusing on harvesting GitHub, npm, and AWS secrets from developer environments. This represented a significant evolution in supply chain attacks—from one-off compromises to self-propagating infections.

In November 2025, a second wave dubbed "Shai-Hulud 2.0" emerged with modified tactics, compromising nearly 800 additional packages before containment. The combined attacks directly catalyzed npm's aggressive security overhaul, including the deprecation of TOTP 2FA, mandatory phishing-resistant authentication, and the permanent revocation of all classic tokens.

Impact Scope: Over 1,300 npm packages compromised across both waves; GitHub, npm, and AWS secrets harvested; self-replicating propagation; estimated $50 million in cryptocurrency theft

Key Lessons:

• Self-replicating supply chain malware can achieve exponential spread
• Automated republishing of compromised packages accelerates infection
• Multi-platform credential harvesting (GitHub, npm, AWS) maximizes attacker value
• Registry-level defenses must detect and prevent automated malicious updates
• TOTP-based 2FA is vulnerable to real-time phishing; phishing-resistant authentication is essential
• The attack led directly to major npm security policy changes

Sources:

• Truesec, "500 npm Packages Compromised in Ongoing Supply Chain Attack Shai-Hulud," 2025⁷¹
• CISA, "Widespread Supply Chain Compromise Impacting npm Ecosystem," September 23, 2025⁷²
• Microsoft Security Blog, "Shai-Hulud 2.0 Guidance," December 2025⁷³

Josh Junon (Qix) Account Hijack¶

Date: September 2025

Summary: One of the most high-impact account takeovers in npm history occurred when the account of prominent maintainer Josh Junon (Qix) was compromised. This led to the injection of malicious code into 20+ core packages, including ansi-styles, chalk, and debug, which collectively see over 2 billion weekly downloads. The malware was designed to drain cryptocurrency wallets from developers' machines.

Impact Scope: 20+ core npm packages; over 2 billion weekly downloads affected; cryptocurrency wallet theft

Key Lessons:

• Single maintainer accounts controlling multiple high-impact packages represent concentrated risk
• Account security for prolific maintainers requires enterprise-grade protections
• Cryptocurrency theft remains a primary monetization strategy for supply chain attackers
• The npm ecosystem's reliance on a small number of maintainers creates systemic vulnerability

Sources:

• The Hacker News, "20 Popular npm Packages with 2 Billion Weekly Downloads Compromised," September 2025⁷⁴

BoltDB Typosquatting Backdoor¶

Date: September 2025

Summary: A sophisticated backdoor was discovered in a typosquatted version of the popular BoltDB Go module. The malicious package looked identical to the original but included a hidden routine that established a reverse shell back to the attacker's server upon the first compilation of any project using the module. This attack demonstrated that typosquatting remains effective even in ecosystems with strong naming conventions.

Impact Scope: Go developers using the typosquatted module; reverse shell access to developer machines

Key Lessons:

• Typosquatting attacks have expanded beyond npm/PyPI to the Go ecosystem
• Compilation-time execution allows attacks before runtime security controls engage
• Reverse shells provide attackers persistent, interactive access to developer environments
• Module verification must occur before compilation, not just at runtime

Sources:

• CISA, "npm and Go Ecosystem Risks Alert," September 2025⁷⁵

Red Hat GitLab Repository Breach¶

Date: October 2025

Summary: The "Crimson Collective" threat group claimed responsibility for exfiltrating 570GB of data from over 28,000 internal Red Hat repositories. The breach exposed sensitive infrastructure settings, VPN configurations, and Customer Engagement Reports, highlighting the risks of hosting massive open-source and internal codebases on unified platforms.

Impact Scope (alleged): 28,000+ internal Red Hat repositories; 570GB of data claimed exfiltrated; infrastructure settings, VPN configurations, and customer data reportedly exposed. Independent confirmation of these claims was not publicly available at the time of writing.

Key Lessons:

• Unified platforms hosting both open-source and internal code present aggregated risk
• Large-scale repository breaches expose infrastructure configurations alongside code
• Customer engagement data combined with infrastructure details enables targeted attacks
• Enterprise GitLab/GitHub instances require segmentation between public and sensitive projects

Sources:

• Guardz Security Blog, "Top Recent Data Breaches," 2025⁷⁶

Glass Worm (Open VSX Marketplace)¶

Date: October 2025

Summary: The first major self-propagating infection of the Open VSX Marketplace (an open-source alternative to the VS Code Marketplace) was detected. The "Glass Worm" malware embedded invisible code into VS Code extensions that would infect the user's workspace and attempt to re-upload infected versions of any extension the developer was working on. This demonstrated that IDE extension marketplaces face the same supply chain risks as package registries.

Impact Scope: Open VSX Marketplace users; VS Code extension developers; self-propagating infection of extensions

Key Lessons:

• IDE extension marketplaces are vulnerable to the same attacks as package registries
• Self-propagating malware in development tools can spread through the development community
• Extension developers become unwitting vectors for malware distribution
• Workspace isolation is essential to prevent cross-contamination of projects

Sources:

• Veracode, "The First Self-Propagating VS Code Extension Worm: GlassWorm," October 20, 2025⁷⁷
• Secure Code Warrior, "OWASP Top 10 2025: Software Supply Chain Failures," 2025⁷⁸

Solana Monkey-Patching Malware¶

Date: 2025

Summary: A cluster of npm packages was found "monkey-patching" (modifying at runtime) the legitimate Solana web3.js library. The malware would wait for a transaction to be signed, then swap the recipient address with the attacker's address or exfiltrate the private key entirely. These packages amassed over 25,000 downloads before being purged. This attack demonstrated sophisticated runtime manipulation rather than simple credential theft.

Impact Scope: Over 25,000 downloads; Solana blockchain users; cryptocurrency theft via transaction manipulation

Key Lessons:

• Runtime library modification can subvert legitimate code without changing it
• Transaction interception at signing time bypasses most security controls
• Cryptocurrency libraries are prime targets for sophisticated financial theft
• Behavioral analysis must detect unexpected modifications to trusted libraries

Sources:

• ReversingLabs, "The 2025 Software Supply Chain Security Report," 2025⁷⁹

React2Shell (CVE-2025-55182)¶

Date: December 2025

Summary: Considered the most critical vulnerability of 2025, a flaw in React Server Components (RSC) allowed unauthenticated remote code execution via insecure deserialization. Because it affected the RSC Flight protocol, standard Next.js applications were vulnerable by default, allowing attackers to execute privileged JavaScript with system-level access. The vulnerability's impact was amplified by React's ubiquity in modern web development.

Impact Scope: Standard Next.js applications using React Server Components; web applications globally

Key Lessons:

• Framework-level vulnerabilities affect all applications built on that framework
• Deserialization vulnerabilities remain a critical attack vector in modern frameworks
• Default-vulnerable configurations maximize attacker impact
• React/Next.js ecosystem scale means vulnerabilities have global reach

Sources:

• React.dev, "Critical Security Vulnerability in React Server Components," December 3, 2025⁹⁰
• NVD, CVE-2025-55182⁹¹

2026¶

AWS CodeBreach: CodeBuild Webhook Filter Bypass¶

Date: January 15, 2026

Summary: Security researchers at Wiz disclosed a webhook filter misconfiguration in AWS CodeBuild affecting four AWS-managed open-source GitHub repositories (aws-sdk-js-v3, aws-lc, amazon-corretto-crypto-provider, awslabs/open-data-registry). Unanchored regex patterns in webhook actor-ID filters performed substring matches rather than exact matches, enabling an attacker who obtained a GitHub user ID containing a trusted maintainer's ID as a substring to bypass the filter and trigger privileged builds with access to repository secrets. AWS reported no downstream compromise and performed credential rotations and broader audit.

Impact Scope: Four AWS-managed open-source repositories; potential (unrealized) impact on downstream consumers of AWS SDK for JavaScript and other libraries

Key Lessons:

• Webhook filters are security controls and must use exact-match allowlists, not fragile regex
• CI/CD build environments are credential-theft surfaces; minimize token scope
• Audit CI trigger logic periodically as part of security reviews
• Untrusted PRs should require explicit approval gates before triggering privileged builds

Sources:

• AWS Security Bulletin 2026-002, January 15, 2026⁸²
• Wiz Research, "CodeBreach: Breaking Out of AWS CodeBuild via Webhook Filter Bypass," January 15, 2026⁸³

PyPI Spellchecker Lookalikes (Fileless RAT)¶

Date: January 23, 2026

Summary: Aikido Security reported a cluster of PyPI packages masquerading as spellchecker utilities that delivered a fileless Python remote access trojan. The malicious setup.py spawned a detached child process that downloaded and executed a RAT entirely in memory, reducing forensic artifacts. The shift from cryptocurrency-only payloads to general-purpose RATs signals that attackers increasingly view developer workstations as high-value foothold targets.

Impact Scope: PyPI ecosystem; developer machines running pip install on the malicious packages; download counts limited/uncertain

Key Lessons:

• Fileless execution models evade file-based detection and reduce forensic artifacts
• Attacker ROI is shifting from cryptocurrency theft to general-purpose developer footholds
• Package installation sandboxing and behavioral monitoring are essential CI/CD controls
• Verify package identity (download counts, maintainer history, repository links) before installation

Sources:

• Aikido Security, "Malicious PyPI 'spellchecker' packages deliver fileless Python RAT," January 23, 2026⁸⁴

GlassWorm Open VSX Publisher Credential Compromise (Wave 2)¶

Date: January 30, 2026

Summary: Socket Security reported that four established Open VSX extensions received malicious updates via compromised publisher credentials, delivering the GlassWorm staged loader. Unlike the October 2025 self-propagating GlassWorm worm, this wave used publisher account compromise (likely leaked tokens) to push targeted malicious updates. The payload used runtime decryption, locale avoidance, and dynamic C2 discovery via Solana transaction memos (EtherHiding-style dead-drop resolver). The second-stage targeted developer credentials: ~/.aws, ~/.ssh, browser passwords, and cryptocurrency wallets.

Impact Scope: Four established Open VSX extensions; users of VSCodium, Eclipse Theia, Gitpod, and other Open VSX-consuming editors; developer credential theft

Key Lessons:

• Publisher credential compromise can bypass static pre-publication checks
• Open VSX and VS Code Marketplace have different security models; both require governance
• Developer credential theft from IDE extensions enables upstream supply-chain attacks
• The Eclipse Foundation's pre-publish security checks initiative (announced January 28, 2026) was directly catalyzed by this incident

Sources:

• Socket Security, "GlassWorm Strikes Open VSX," January 30, 2026⁸⁵

Metro4Shell: React Native Metro Server KEV Inclusion¶

Date: February 5, 2026 (KEV addition); exploitation observed December 2025–January 2026

Summary: CISA added CVE-2025-11953 to the Known Exploited Vulnerabilities catalog. The vulnerability is an OS command injection in the Metro Development Server opened by the React Native Community CLI. Metro binds to all network interfaces by default and exposes an unauthenticated endpoint enabling command execution (fully controlled arguments on Windows). VulnCheck reported exploitation activity beginning in late December 2025. The CVSS 9.8 score and KEV addition make this one of the first developer-tooling vulnerabilities to receive mandatory federal remediation timelines.

Impact Scope: React Native developers with Metro servers exposed beyond localhost; developer workstations and CI runners; KEV remediation due date February 26, 2026

Key Lessons:

• Developer-only services accidentally exposed to networks are functionally internet-facing services
• Developer workstations hold signing keys, registry tokens, and cloud credentials—RCE is a supply-chain entry point
• Default bind behaviors (0.0.0.0) must be overridden with policy, not individual choice
• KEV now covers developer toolchains, not just production infrastructure

Sources:

• NVD, CVE-2025-11953 (CVSS 9.8)⁸⁶
• CISA KEV catalog, entry for CVE-2025-11953, added February 5, 2026⁸⁷
• VulnCheck, "Metro4Shell exploitation activity," 2026⁸⁸

dYdX Maintainer Compromise (npm + PyPI)¶

Date: February 6, 2026

Summary: Attackers compromised the maintainer accounts for legitimate dYdX-related packages on both npm and PyPI, publishing malicious versions that stole cryptocurrency wallet credentials and established remote access tooling. The dual-registry attack doubled the victim surface, and the legitimate package histories enabled trust inheritance—the malicious updates were pulled automatically by CI/CD pipelines and developers running routine dependency updates.

Impact Scope: dYdX ecosystem users on npm and PyPI; cryptocurrency wallet theft; remote access established on developer machines; precise victim count unspecified

Key Lessons:

• Multi-registry attacks multiply blast radius when maintainers reuse credentials across ecosystems
• Legitimate-to-malicious flips exploit trust inheritance in established packages
• Combination of credential theft and RAT deployment suggests interest in persistent developer access
• Cross-registry credential hygiene (unique, scoped credentials per registry) is essential

Sources:

• Socket Security research and public reporting, February 6, 2026⁸⁹

OpenClaw Ecosystem Attacks (ClawHavoc / CVE-2026-25253 / Moltbook)¶

Date: January–February 2026

Summary: A cluster of supply chain attacks targeted OpenClaw (formerly Clawdbot, then Moltbot), an open-source autonomous AI personal assistant that gained over 100,000 GitHub stars within two months of its November 2025 release. The incidents demonstrated that AI agent ecosystems reproduce the full spectrum of package-registry attack patterns at accelerated timescales. Between January 27 and February 2, 2026, the ecosystem experienced four overlapping attack waves:

• ClawHavoc: Researchers audited all 2,857 skills on ClawHub, OpenClaw's plugin registry, and found 341 malicious entries (335 from a single campaign) delivering infostealers that harvested API keys, cryptocurrency wallet private keys, SSH credentials, and browser passwords.
• CVE-2026-25253 (CVSS 8.8): A cross-site WebSocket hijacking vulnerability allowed one-click remote code execution. A developer visiting a malicious web page would have their authentication token exfiltrated, granting the attacker full gateway control and command execution. Patched in version 2026.1.29.
• Fake VS Code extension: A trojan branded "ClawdBot Agent" appeared on the VS Code Marketplace before the legitimate project published an official extension, installing ScreenConnect RAT on victim machines.
• Moltbook database exposure: Moltbook, an AI-agent social network, suffered a backend misconfiguration exposing emails, private messages, and large volumes of authentication tokens, enabling agent impersonation.

Impact Scope: OpenClaw users globally; developers running OpenClaw with system-level permissions; ClawHub skill ecosystem; Moltbook platform users and connected agents

Key Lessons:

• AI agent plugin registries ("skills") face the same malicious-package risks as npm/PyPI, but with higher impact due to deep system access
• Browser-to-agent trust boundaries (WebSocket connections from web pages to local agents) are a novel attack surface requiring explicit origin validation
• Rapid project renames create ideal conditions for impersonation, typosquatting, and namesquatting across distribution channels
• Agent-to-agent platforms introduce a new "content supply chain" where compromised tokens enable upstream influence on other agents' behavior
• The speed of attack (341 malicious skills within one week of viral adoption) outpaced governance: agent platform providers should pre-deploy automated skill scanning and allowlisting before opening plugin registries to public submissions

Sources:

• Koi Security, "ClawHavoc: 341 Malicious Clawed Skills Found by the Bot They Were Targeting," February 2, 2026⁹²
• BleepingComputer, "Malicious MoltBot skills used to push password-stealing malware," 2026⁹³
• The Hacker News, "OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link," February 2026⁹⁴
• Aikido Security, "Fake Clawdbot VS Code Extension Installs ScreenConnect RAT," January 2026⁹⁵
• Reuters, "'Moltbook' social media site for AI agents had big security hole, cyber firm Wiz says," February 2, 2026⁹⁶

Summary of Attack Vectors by Incident¶

Key Observations Across Incidents¶

Evolution of Sophistication: Early incidents were primarily accidental vulnerabilities or simple attacks. Modern supply chain attacks increasingly involve long-term planning, social engineering, and targeting of build infrastructure rather than just source code.

Recurring Themes:

1. Single points of failure: Individual maintainers, accounts, and dependencies create concentrated risk
2. Trust exploitation: Attackers invest in building trust before exploiting it
3. Detection challenges: Many compromises persist for weeks or months before discovery
4. Cascading effects: One compromise enables subsequent attacks downstream

Defensive Gaps Highlighted:

• Build system integrity verification
• Distribution infrastructure and update mechanism verification
• Expected-publisher certificate validation (not just signature existence)
• Maintainer succession and vetting processes
• Behavioral analysis of package changes
• SBOM adoption and dependency visibility
• Multi-factor authentication enforcement

These incidents collectively demonstrate that software supply chain security requires defense in depth across the entire lifecycle—from initial development through build, publication, distribution, and consumption.