Category
11 posts in this category.
Attack post-mortem
Self-replicating npm worms scrape publish tokens from infected developer machines and use them to publish malicious versions of every package those tokens can reach. Here is the propagation pattern, why it scales, and what reduces the blast radius.
Attack post-mortem
PyTorch nightly builds briefly pulled a malicious torchtriton package from public PyPI instead of the internal one. The mechanism is the canonical dependency-confusion attack, and it still works today.
Attack post-mortem
Three versions of ua-parser-js were briefly published with cryptominer and credential-stealer payloads after the maintainer’s npm account was taken over. A clean illustration of how reach amplifies short exposure windows.
Attack post-mortem
In 2024, a malicious version of litellm was published to PyPI and downloaded by developers in less than 5 minutes. Here's what happened, how it worked, and how Veln would have caught it.
Attack post-mortem
The xz utils backdoor was 29 months in the making. The exposure window was approximately 5 hours. Here's the complete timeline and what it teaches us about supply chain security.
Attack post-mortem
The canonical maintainer-handoff supply-chain attack. A polite stranger took over an unmaintained npm package, added a transitive dependency, and shipped a payload that ran only inside one specific cryptocurrency wallet.
Attack post-mortem
In May 2022, two long-stable open-source packages were modified to exfiltrate environment variables. Both fell to the same vector: their maintainers’ email domains had expired and been re-registered.
Attack post-mortem
In January 2022, the developer of colors.js and faker.js deliberately shipped broken, infinite-loop versions of both packages. Here's what happened and what it means for supply chain trust.
Attack post-mortem
In March 2022, the node-ipc npm package was modified to delete files on computers in Russia and Belarus. Here's what happened, why it was unprecedented, and what it means for supply chain trust.
Attack post-mortem
SolarWinds is the most famous supply chain attack. Here's what actually happened, how it compares to npm and PyPI attacks, and what lessons apply to package manager security.
Attack post-mortem
In November 2024, aiocpa — a Python library for the CryptoPay API — had a malicious update published that exfiltrated seed phrases and private keys. Here's the full breakdown.