Hackers are launching major attacks against the software supply chain—the tools and packages that developers use to build applications. These attacks are spreading malicious code to hundreds of projects at once, putting millions of users at risk.
One serious threat comes from Miasma malware, which targets npm packages and GitHub Actions. GitHub Actions are automated tools that help developers test and publish their code. By compromising these development tools, attackers can inject harmful code into many projects simultaneously without developers realizing it.
Another significant vulnerability comes from flaws in Cordyceps CI/CD systems. Researchers discovered that these continuous integration and continuous deployment tools—which automatically build and release software—had security weaknesses exposing over 300 GitHub repositories to attack. These flaws allowed attackers to compromise multiple projects through a single vulnerability.
GitHub responded by updating its actions/checkout tool to block common attack patterns. This update was designed to protect developers from pwn request attacks, which occur when attackers trick the checkout process into downloading malicious code.
The attacks also spread beyond code repositories. Researchers found that ShapedPlugin WordPress Pro Plugins were backdoored in a supply chain attack. WordPress is used by millions of websites worldwide, making this a serious threat to web security. When plugins get infected, every website using them becomes vulnerable.
The real-world impact became clear when Polymarket customers lost $3 million in a supply chain attack. Polymarket is a cryptocurrency prediction platform, showing that hackers are targeting financial systems through software vulnerabilities.
These attacks work because developers often trust the tools and packages they use. When an attacker compromises one package or tool, all the projects depending on it become infected. This creates a ripple effect where one successful attack can compromise hundreds or thousands of applications.
Security experts emphasize that protecting the software supply chain requires multiple safeguards. Companies need to scan their code for vulnerabilities, limit access to development tools, monitor for suspicious activity, and keep software updated with the latest security patches. Developers should also be careful about which packages they use and regularly check for security warnings from maintainers.
As software development becomes more complex and interconnected, supply chain attacks will likely continue to be a major cybersecurity concern. Protecting these foundational tools is critical to keeping the internet secure.