Open Source Security FundingOss Item

Software supply chain attacks via open source packages and CI actions

April 4, 2026GitHub, Black Hat, SANS Digital Forensics and Incident Response

GitHub, Black Hat, N2K Networks, and SANS DFIR converge on supply chain compromise as a dominant risk, spanning weaponized GitHub Actions, malicious open source packages, and high-profile package incidents that turn trusted dependencies into intrusion paths.

Open in PulseSee the full expert discussion →

QUOTES

The Download: LiteLLM hacked

serious supply chain attack on the LiteLLM Python package

Uncovering and Responding to the tj-actions Supply Chain Breach

tj-actions/changed-files GitHub Action ... had been weaponized to exfiltrate secrets

Hunting North Korea’s Contagious Interview Operation

Attacks on Developers via the Software Supply Chain

North Korea targets the axios NPM package

the serious supply chain attack on the LiteLLM Python package

Poison in the Digital Well: Intelligence-Driven Defense Against Supply Chain Attacks

React2Shell attacks spread at scale

VOICES

GitHub

Black Hat

SANS Digital Forensics and Incident Response

N2K Networks

RELATED TERMS

supply chainopen sourcedependency riskgithubnpmaxiossupply chainopen source

OTHER FINDINGS IN OPEN SOURCE SECURITY FUNDING

TeamPCP multi-ecosystem supply chain campaign and mitigations Telnyx Python SDK backdoor (PyPI) stealing credentials Open source complacency about auditing and real vulnerability report floods

AMYGDALA PULSE

See what experts are saying right now

This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new expert voices, debates, and emerging ideas.

Open Cyber Security Pulse Browse all topics

← Back to Cyber Security