InfoQ Homepage Software Supply Chain Content on InfoQ
-
NPM Ecosystem Suffers Two AI-Enabled Credential Stealing Supply Chain Attacks
The Node Package Manager (npm) ecosystem has suffered from two major supply chain attacks in recent months, affecting hundreds of packages and exposing developers to credential theft and data exfiltration. The attack vector of these incidents shows an AI-enabled evolution of how open-source software dependencies can be compromised.
-
Google Veles is a New Open-Source Secret Scanner Powering GCP
Google Veles is a newly released open-source secret scanner, launched as part of Google's broader OSV-SCALIBR (Software Composition Analysis LIBRary) ecosystem. Veles integrates seamlessly with other OSV-SCALIBR tools and also powers secret scanning in Google Cloud, while remaining available as a standalone module.
-
Supply Chain Security: Provenance Tools Becoming Standard in Developer Platforms
Software provenance is gaining new importance as organizations look for ways to secure their supply chains against tampering and comply with emerging standards like SLSA.
-
Microsoft Launches Azure DevOps MCP Server in Public Preview
Microsoft has unveiled the Azure DevOps Model Context Provider (MCP) Server in public preview, enabling seamless interaction between GitHub Copilot and Azure DevOps. This innovative tool allows developers to query and manage project data using natural language directly within VS Code, streamlining workflows and enhancing productivity while ensuring project data remains secure and local.
-
CNCF Graduates in‑toto, Bolstering Software Supply Chain Security
On April 23, 2025, the Cloud Native Computing Foundation (CNCF) announced the graduation of in‑toto, a framework designed to enforce supply chain integrity by ensuring that every step in the software development lifecycle, such as building, signing, and deployment, is properly authorized and verifiable.
-
Docker Launches Hardened Base Images
Docker has launched its Docker Hardened Images (DHI), a security-focused range of base images that reduce vulnerabilities by up to 95%. Built using a distroless approach, these minimal images eliminate unnecessary components, offering automatic patching and compatibility with existing Dockerfiles. Ideal for regulated environments, DHI enhances software supply chain security and transparency.
-
Docker Introduces Hardened Images to Strengthen Container Security
Docker has launched Docker Hardened Images, a catalog of enterprise-grade, security-hardened container images designed to protect against software supply chain threats. By relieving DevOps teams from the chore of securing their containers on their own, hardened images provide an easier way to meet enterprise-grade security and compliance standards, Docker says.
-
Compromised GitHub Action Highlights Risks in CI/CD Supply Chains
The popular tj-actions/changed-files GitHub Action used by thousands of repositories recently compromised those repositories, exposing a critical weakness in how open-source Actions are published and consumed.
-
JFrog Integrates Runtime Security for Enhanced DevSecOps Platform
JFrog has introduced JFrog Runtime to its suite of security capabilities, adding real-time vulnerability detection to its software supply chain platform. This update is aimed at developers and DevSecOps teams working with Kubernetes clusters and cloud-native applications.
-
Applying Zero-Trust Security to Docker Containers
Several strategies exist to apply the principles of zero-trust security to development environments based on Docker Desktop to protect against the risks of security breaches, Docker senior technical leader Jay Schmidt explains.
-
Over 100K+ Sites Hit by Polyfill.io Supply Chain Attack
E-Commerce security firm Sansec unveiled a new supply chain attack affecting the Polyfill JS service when accessed through a number of CDNs hosting it. According to Sansec, over 100K sites were hit. The original author of the service, Andrew Betts, suggested removing Polyfill from any sites using it.
-
GitHub Enables Dependabot via GitHub Actions, Improves Supply Chain Security
GitHub has released two features to improve the security and resilience of repositories. The first feature allows Dependabot to run as a GitHub Actions workflow using hosted and self-hosted runners. The second release introduces the public beta of Artifact Attestations, simplifying how repository maintainers can generate provenance for their build artifacts.
-
GUAC Joins OpenSSF as Incubating Project
The Graph for Understanding Artifact Composition (GUAC) has joined the Open Source Security Foundation (OpenSSF) as an incubating project. GUAC provides a tool and underlying API to analyse and visualise software bill of materials (SBOM) along with threat intelligence feeds to determine whether vulnerabilities impact an application.
-
Do Gen AI and OSS Regulation Bring Us Further Away from Exiting the Dependency Hell?
“The security of the software supply chain problem” still persists according to the yearly State Of Supply Chain report. It improved, but there is still a long way to go, given that 96% of all vulnerable downloads were avoidable. Besides the usual insights of how far from exiting the "dependency hell" we are, the novel challenges of 2023 include the legislative adoption of Gen AI-associated risks.
-
TorchServe Potentially Exposed to Remote Code Execution
Israeli-based security company Oligo has uncovered multiple vulnerabilities in TorchServe, the tool used to serve PyTorch models, that could allow an attacker to run arbitrary code on vulnerable systems. The vulnerabilities have been promptly fixed in TorchServe version 0.82.