Supply Chain Attack Examples

Real attacks, real ecosystems, real damage. This is why isolation matters.

  1. React RCE Vulnerability — [RCE] [Dependency Chain]

    CVE-2025-55182 – React Server Components RCE via Flight Payload Deserialization

    react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

  2. Shai-Hulud 2.0 — [Supply Chain] [Credential Theft] [Self-Propagation]

    Updated version of the npm worm that backdoored hundreds of legitimate packages.

    securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/

  3. XZ Utils Backdoor — [Supply Chain] [RCE]

    A core Linux library was backdoored to tamper with SSH authentication globally.

    arxiv.org/abs/2504.17473

  4. Shai-Hulud 1.0 — [Supply Chain] [Credential Theft] [Self-Propagation]

    Original self-spreading npm worm that stole tokens and auto-published malware.

    blackduck.com/blog/npm-malware-attack-shai-hulud-threat.html

  5. NPM SSH-Key Stealers — [Credential Theft] [Postinstall Malware]

    Malicious postinstall scripts read ~/.ssh/id_rsa and uploaded it to attackers.

    scworld.com/news/github-npm-registry-abused-to-host-ssh-key-stealing-malware

  6. PyTorch Dependency Confusion — [Supply Chain] [Credential Theft]

    A fake PyPI package exfiltrated SSH keys and tokens.

    pytorch.org/blog/compromised-nightly-dependency/

  7. colors.js / faker.js Sabotage — [Sabotage]

    The maintainer intentionally broke the world with malicious updates.

    fossa.com/blog/npm-packages-colors-faker-corrupted/

  8. Codecov Bash Uploader — [CI Compromise] [Credential Theft]

    A compromised CI script exfiltrated secrets from thousands of CI pipelines.

    about.codecov.io/security-update/

  9. PHP Git Server Backdoor — [RCE] [Account Takeover]

    Attackers pushed commits enabling RCE via HTTP headers.

    news-web.php.net/php.internals/113838

  10. UA-Parser-JS Hijack — [Account Takeover] [Credential Theft] [Cryptominer]

    Stolen maintainer creds published malicious versions.

    github.com/advisories/GHSA-pjwm-rvh2-c87w

  11. Log4Shell — [RCE] [Ecosystem-Wide Vulnerability]

    A logging string triggered RCE in millions of Java systems.

    en.wikipedia.org/wiki/Log4Shell

  12. event-stream — [Supply Chain] [Credential Theft]

    A fake maintainer added a dependency stealing crypto wallets.

    github.com/dominictarr/event-stream/issues/116

  13. ESLint-Scope — [Account Takeover] [Credential Theft]

    Breached maintainer account published malicious versions.

    eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes/

  14. RubyGems Backdoored Packages — [Supply Chain] [Credential Theft]

    Popular gems were replaced with malicious versions.

    helpnetsecurity.com/2019/08/21/backdoored-ruby-gems/

  15. npm Typosquatting — [Social Engineering]

    Misspelled packages harvested AWS keys and env vars.

    docs.npmjs.com/threats-and-mitigations

  16. Octopus Scanner — [Build System Infection]

    Malware infected repos so every build produced compromised artifacts.

    github.blog/security/vulnerability-research/the-octopus-scanner-malware...

  17. XcodeGhost — [IDE Infection]

    Trojanized Xcode infected every iOS app built with it.

    unit42.paloaltonetworks.com/novel-malware-xcodeghost...

← Back to mkenv