Software developers and companies worldwide face a growing threat from coordinated supply chain attacks that target the tools and platforms used to build applications. These attacks work by compromising the software that many companies depend on, rather than attacking individual businesses directly.
One major threat comes from malware called Miasma, which has been found in npm packages and GitHub Actions. npm is a popular platform where developers share code libraries, and GitHub Actions automates software testing and deployment. By placing malicious code in these widely-used tools, attackers can reach hundreds of developers and organizations at once.
Security researchers also discovered serious flaws in a CI/CD system called Cordyceps. CI/CD stands for "Continuous Integration/Continuous Deployment," which are automated tools that help developers test and release software updates. These flaws exposed over 300 GitHub repositories to potential attacks, meaning hackers could have accessed code from hundreds of development projects.
GitHub, the world's largest code-sharing platform, responded by updating its checkout tool to block common attack patterns. This update helps protect developers from a specific type of attack called "Pwn Request," which tricks systems into running malicious code.
The attacks expanded beyond development platforms to WordPress, where hackers inserted hidden malicious code into ShapedPlugin Pro, a plugin used by many WordPress websites. Plugins are add-ons that extend website functionality, and compromising them allows attackers to control thousands of websites at once.
The financial impact has been significant. Customers of Polymarket, a cryptocurrency prediction platform, lost approximately $3 million when attackers exploited a supply chain vulnerability. This demonstrates how these attacks can directly harm everyday users and their money.
Supply chain attacks are particularly dangerous because they exploit trust. When developers use tools from established platforms or trusted plugins, they typically assume the code is safe. Attackers take advantage of this trust by secretly inserting malicious code into these widely-used tools. Once the compromised software is installed, it can give hackers access to sensitive data, steal information, or install additional harmful software.
For cybersecurity experts, these coordinated attacks highlight the urgent need for better security practices throughout the software development process. Companies are now focusing on verifying that the tools and code they use haven't been compromised and implementing stronger protections for the platforms that developers rely on daily.