Cybersecurity experts are sounding alarms about a growing wave of supply chain attacks—hacks that target the software and tools that developers use to build apps and websites. Instead of attacking companies directly, hackers are compromising the trusted programs and code libraries that these companies depend on, affecting thousands of users at once.
One major target has been npm packages, which are building blocks that programmers use when writing software. Security researchers discovered malware called Miasma that was hidden inside these packages and attempted to infiltrate GitHub Actions, a tool developers use to automatically test and deploy their code. Another similar threat called Cordyceps exploited security flaws in CI/CD systems—the automated tools that help developers build and update software—potentially putting more than 300 GitHub repositories at risk.
GitHub, the world's largest platform where programmers store and share code, has taken action by updating its actions/checkout tool to block common attack patterns. This change is designed to stop hackers from using a technique called "pwn requests" that could let attackers steal sensitive information or inject malicious code.
WordPress plugins have also become targets. ShapedPlugin, a company that makes popular WordPress Pro plugins used by many websites, fell victim to a supply chain attack that inserted backdoors into their software. A backdoor is a hidden entrance that lets hackers access systems without permission.
The impact has extended beyond software developers. Polymarket, a cryptocurrency prediction platform where people bet on future events, saw customers lose approximately $3 million in a supply chain attack. The hack demonstrates how these attacks can directly harm everyday users through the platforms they trust.
What makes supply chain attacks particularly dangerous is that they can affect massive numbers of people before anyone notices. Because victims are downloading from legitimate-looking sources, they often have no reason to be suspicious. By the time security researchers discover the problem, the malicious code may have already spread to thousands of computers and systems.
Companies and developers are responding by increasing their security checks and monitoring their tools more carefully. GitHub's update represents one example of how platforms are working to defend against these attacks. However, security experts say the fundamental challenge remains: as long as developers need to use external tools and code libraries, there will be opportunities for hackers to slip malicious code into the supply chain.