https://shieldedstack.com/blog Supply chain security deep-dives from ShieldedStack. en Fri, 29 May 2026 10:26:28 GMT https://shieldedstack.com/blog/nuget-supply-chain-security-a-practical-guide https://shieldedstack.com/blog/nuget-supply-chain-security-a-practical-guide Fri, 29 May 2026 08:05:48 GMT Your NuGet packages are a bigger attack surface than your code. Think about it: when was the last time you audited a dependency before running dotnet add package? You check the download count, maybe the GitHub stars, and move on. Meanwhile, you're trusting not just that package author, but every transitive dependency, every maintainer with commit access, and every build system that touched the release. The 2021 SolarWinds breach wasn't a sophisticated zero-day exploit. It was a compromised bui noreply@shieldedstack.com (Alex Wichmann) https://shieldedstack.com/blog/top-10-malicious-compromised-packages-2026-05-25 https://shieldedstack.com/blog/top-10-malicious-compromised-packages-2026-05-25 Mon, 25 May 2026 19:52:19 GMT This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries. 1. durabletask (pypi) * Package: https://pypi.org/project/durabletask/ * Severity: critical * Affected versions: 1.4.1-1.4.3 * Downloads: 386297 * First seen: 19 May 2026 at 17:58 UTC TeamPCP compromised a legitimate PyPI contributor and published three malicious versions of durabletask (1.4.1, 1.4.2, 1.4.3) to PyPI — a Python package implementing Microsoft Azure's noreply@shieldedstack.com (Alex Wichmann) https://shieldedstack.com/blog/github-actions-security-checklist-for-the-supply-chain-attack-era https://shieldedstack.com/blog/github-actions-security-checklist-for-the-supply-chain-attack-era Sat, 16 May 2026 18:40:37 GMT GitHub Actions is one of the most convenient ways to automate builds, tests, releases, and deployments. It is also one of the easiest places to accidentally hand attackers a path into your software supply chain when workflow trust boundaries are too loose. That matters more now because recent supply chain incidents have followed the same pattern again and again: compromise the build path, steal a token, poison a release, and let downstream users do the rest. This checklist focuses on the mista noreply@shieldedstack.com (Alex Wichmann) https://shieldedstack.com/blog/how-shieldedstack-uses-kiota-to-keep-frontend-and-backend-in-sync https://shieldedstack.com/blog/how-shieldedstack-uses-kiota-to-keep-frontend-and-backend-in-sync Fri, 24 Apr 2026 20:45:52 GMT In ShieldedStack, the Control Plane frontend doesn’t manually define API calls. Instead, it consumes a fully generated, strongly typed TypeScript client. Built directly from the backend’s OpenAPI specification using Kiota. This approach keeps the frontend and backend in lockstep, eliminates drift, and removes a whole class of runtime errors caused by mismatched contracts. Build-Time: Generating the Client The process starts in the backend project (API). During the build, the API emits an Ope noreply@shieldedstack.com (Alex Wichmann)