Blog

Supply chain security, written from the inside.

Attack post-mortems, technical deep-dives, and practical guidance for engineering teams running on-premises dependency security.

NuGet Supply Chain Security: A Practical Guide

Your NuGet packages are a bigger attack surface than your code. Think about it: when was the last time you audited a dependency before running dotnet add package? You check the download count, maybe the GitHub stars, and move on. Meanwhile, you're trusting not just that package author, but every transitive dependency, every maintainer with commit access, and every build system that touched the release. The 2021 SolarWinds breach wasn't a sophisticated zero-day exploit. It was a compromised bui

Read more →

29 May 2026

4 min read

Top 10 malicious / compromised packages – 2026-05-25

This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. durabletask (pypi) * Package: https://pypi.org/project/durabletask/ * Severity: critical * Affected versions: 1.4.1-1.4.3 * Downloads: 386297 * First seen: 19 May 2026 at 17:58 UTC TeamPCP compromised a legitimate PyPI contributor and published three malicious versions of durabletask (1.4.1, 1.4.2, 1.4.3) to PyPI — a Python package implementing Microsoft Azure's

Read more →

25 May 2026

5 min read

GitHub Actions Security Checklist for the Supply Chain Attack Era

GitHub Actions is one of the most convenient ways to automate builds, tests, releases, and deployments. It is also one of the easiest places to accidentally hand attackers a path into your software supply chain when workflow trust boundaries are too loose. That matters more now because recent supply chain incidents have followed the same pattern again and again: compromise the build path, steal a token, poison a release, and let downstream users do the rest. This checklist focuses on the mista

Read more →

16 May 2026

5 min read

How ShieldedStack Uses Kiota to Keep Frontend and Backend in Sync

In ShieldedStack, the Control Plane frontend doesn’t manually define API calls. Instead, it consumes a fully generated, strongly typed TypeScript client. Built directly from the backend’s OpenAPI specification using Kiota. This approach keeps the frontend and backend in lockstep, eliminates drift, and removes a whole class of runtime errors caused by mismatched contracts. Build-Time: Generating the Client The process starts in the backend project (API). During the build, the API emits an Ope

Read more →

24 April 2026

1 min read

Subscribe via RSS

New posts on supply chain attacks, dependency security, and EU sovereignty as they ship.

RSS feed