tag
supply chain
2 articles with this tag
2026-06-07
The XZ Utils backdoor (CVE-2024-3094) — when trust itself was the target
A trusted maintainer planted a backdoor in xz — a supply-chain attack. One engineer's 'this feels slow' caught it just before stable. Code wasn't the target — people and trust were. Minimize dependencies, pin versions, build reproducibly, chase anomalies, and support maintainers.
2026-06-07
Codecov breach (2021) — when a 'trusted tool' in CI was hijacked and secrets leaked
A trusted CI tool (the curl|bash Bash Uploader) was altered upstream. Because your own code was untouched, it went unnoticed for ~2 months while CI secrets leaked; a checksum check caught it. In your CI: verify fetched artifacts, least-privilege secrets, rotation, egress monitoring.