Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialThe widespread campaign of software supply chain hacks that were behind the attack on SolarWinds began in 2020, and unofficially elevated software supply chain security to the top echelon of cyber risks to both government and the private sector. Subsequent events, like the emergence of the Log4Shell vulnerability in the Log4j2 open source library, underscored that software supply chain risk is for real.
However, if you are thinking that supply chain threats and attacks as a new problem plaguing software producers and their customers, you are wrong. In fact, software supply chain attacks have been with us for years — decades even — though they haven’t always demanded the kind of attention and response they now receive.
Below is a list of known software supply chain attacks, compiled from public records and reporting. This list is — of course — incomplete. First: it is likely that there have been attacks in which the details have not been made public. Second, these attacks are happening all the time, making any accounting incomplete. Finally, opinions on what constitutes a software supply chain attack can differ from expert to expert.
Special Report: The State of Software Supply Chain Security (SSCS) 2024Download Report: State of SSCS
Below is a list of known (documented, reported) attacks involving compromises of software supply chains (from latest to oldest).
Malware leveraging public infrastructure
ReversingLabs researchers discovered two novel pieces of malware leveraging GitHub: one abusing GitHub Gists, the other issuing commands through git commit messages. (Read more)
Hackers exploit JetBrains vulnerability
A Russian Foreign Intelligence Service-backed group known as CozyBear infiltrated JetBrains TeamCity servers via a critical vulnerability in the company’s software. (Read more)
Protestware on npm
ReversingLabs researchers discovered npm packages that hide scripts broadcasting messages of peace related to the conflicts in both Ukraine and in Israel and the Gaza Strip. (Read more)
IAmReboot
ReversingLabs researchers identified additional packages as part of a malicious campaign on NuGet, first discovered by Phylum, that exploited a loophole in NuGet’s MSBuild integrations feature.
(Read more)
Typosquatting delivers r77 rootkit
ReversingLabs discovered that one “s” was all that separated a legitimate npm package from a malicious twin, node-hide-console-windows, that delivered the r77 rootkit. (Read more)
Fake Roblox packages
ReversingLabs researchers discovered more than a dozen malicious packages targeting Roblox API users on the npm repository, and several of them placed Luna Grabber, an infostealer, on infected systems. (Read more)
VMConnect
ReversingLabs researchers discovered a malicious campaign on PyPI consisting of over two dozen packages that mimic popular open-source Python tools, and further digging uncovered that the campaign can be attributed to an offshoot of the Lazarus threat group. (Read more)
Attacks on the Banking Sector
Researchers at Checkmarx discovered what they believe to be the first set of open-source software supply chain attacks specifically targeting the banking sector, which all took place on npm. (Read more)
Operation Brainleeches
ReversingLabs researchers discovered what may be the first “dual-use” campaign on npm, with over a dozen malicious packages targeting application end users with software supply chain compromises, as well as supporting email phishing campaigns aimed at Microsoft 365 users. (Read more)
Jumpcloud
Phylum researchers first identified a malicious package on npm that is believed to be the precursor to a software supply chain attack on IT management firm JumpCloud, and ReversingLabs researchers later discovered more malicious packages on npm related to the campaign. (Read more)
MOVEit
Progress Software’s MOVEit file transfer management program was compromised, and the breach has impacted more than 600 organizations worldwide, making it one of the most significant supply chain attacks to date. (Read more)
Taking advantage of PYC file direct
Researchers at RL discovered a novel attack that used compiled Python code to evade detection in which the attackers took advantage of the fact that Python byte code (PYC) files can be directly executed. (Read more)
TurkoRat
ReversingLabs researchers discovered two malicious packages on npm that contained TurkoRat, an open source infostealer.
(Read more)
Repurposed Package Names
ReversingLabs researchers discovered a malicious package on PyPI named termcolour that delivers a three-stage downloader. The attackers repurposed an old package name to more easily distribute the malicious code. (Read more)
3CXDesktopApp
3CX, an enterprise voice over IP solution, released a version of its 3CX Desktop App, which was compromised with malicious code during the software package’s build stage. (Read more)
OpenAI Breach
OpenAI suffered a data breach that impacted ChatGPT Plus subscribers, which was tied to a bug in an open-source library that allowed some users to see titles from other users’ chat histories. (Read more)
Imposter HTTP libraries
Researchers at ReversingLabs discovered an increase in malicious HTTP libraries on PyPI, which are not really HTTP libraries, but rather are simple, malicious packages that utilize the “HTTP” name.
(Read more)
Aabquerys
ReversingLabs researchers discovered a malicious, typosquatted npm package, identified as aabquerys, which downloaded second and third stage malware payloads to systems that ran the package. (Read more)
VSCode Marketplace
Aqua discovered “several malicious extensions” for the Visual Studio Code integrated development environment (IDE) on the VSCode Marketplace, including the API Generator plugin and another dubbed code-tester. (Read more)
PyTorch
PyTorch-nightly contained a compromised dependency, known as torchtriton, that originated from the PyPI open source repository and contained a malicious binary, making it a supply chain attack. (Read more)
SentinelSneak
ReversingLabs researchers discovered a malicious Python package posing as a legitimate software development kit (SDK) that contained a malicious backdoor designed to avoid detection. (Read more)
Fantasy Wiper
An Iranian APT hacking group known as Agrius used a never-before-seen ‘Fantasy’ data wiper in multiple supply chain attacks between February - March 2022, and was discovered by researchers at ESET in December 2022.
(Read more)
SocGhoulish
Threat actor TA569 compromised the codebase of an application used to serve video and advertising to national and regional newspaper websites by spreading the SocGhoulish malware. (Read more)
W4SP Infostealer
Researchers at Phylum discovered more than a dozen PyPI packages that were modified to install the W4SP information stealer onto Python developers’ machines via a malicious _import_. (Read more)
PyPI-based Attack
A PyPI package, secretslib, claimed to perform secrets matching and verification, but covertly ran cryptominers in memory on the Linux machines on which it is installed. (Read more)
Npm-based Attack
Researchers at Sonatype identified 186 malicious npm packages that impersonated the heavily used QT and React JavaScript libraries. (Read more)
IconBust
ReversingLabs researchers identified more than two dozen npm packages, dating back six months, that contained obfuscated Javascript, with jQuery scripts designed to steal form data from deployed applications. (Read more)
Developer Sabotages Computers out of Protest
Brandon Nozaki Miller, the developer of node.ipc, pushed an update of his popular open source library that sabotaged computers in Russia and Belarus in retaliation for Russia’s invasion of Ukraine.
(Read more)
Lapsus$ Attacks Samsung
The Lapsus$ hacking group leveraged Samsung insiders to obtain VPN and virtual desktop credentials, then published approximately 200 GB of internal source code online, including software keys. (Read More)
Maintainer Sabotages Libraries Out of Protest
In an act of protest against corporations exploiting open source projects, npm libraries “colors” and “faker” were sabotaged by their maintainer, Marak Squires. (Read more)
Npm packages hijacked
The incident involved an npm account takeover causing the ‘coa’ and ‘rc’ packages to become hijacked in an effort to spread malware. (Read more)
MISO Cryptocurrency
SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply chain attack in which a malicious code commit was made to the platform’s private GitHub repository. (Read more)
SYNNEX
SYNNEX, a technology distributor, had its systems and Microsoft accounts attacked, which caused the Republican National Committee (one of its clients) to have a security incident. (Read more)
MonPass
The certificate authority MonPass was compromised with backdoors and webshells placed on a public server hosted by the company. (Read more)
Myanmar Presidential Website
A threat actor injected malware inside a localized Myanmar font package available for download on the website’s front page.
(Read more)
CodeCov
Attackers compromised Bash Uploader, a software development tool and used it to gain restricted access to hundreds of networks belonging to the San Francisco firm's customers. (Read more)
Passwordstate
Passwordstate is a password manager that was hit with an attack in which the attackers compromised the website’s software update feature to deliver a malicious update to any customer that updated the system within a specific timeframe. (Read more)
XcodeSpy
Xcode is an application development environment created by Apple that allows developers to create apps for any iOS device, and XcodeSpy is the malicious project targeting these iOS developers by installing a backdoor on the developer’s computer. (Read more)
Researcher Hacks Big Tech
Researcher Alex Birsan managed to breach over 35 major companies' internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel dependency confusion supply chain attack. (Read more)
NoxPlayer
Attackers compromised the update mechanism of NoxPlayer, an Android emulator for PCs and Macs produced by the Hong Kong based firm BigNox, to deliver malware to victims. (Read more)
Stock Investors Targeted
The North Korean APT group known as Thallium exploited the legitimate installer of the stock investment platform by injecting specific commands that fetched a malicious XSL script from a rogue FTP server, and executed it on Windows systems via the in-built wmic.exe utility. (Read more)
Mimecast
A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services was compromised by a threat actor. (Read more)
SignSight
Attackers compromised the Vietnam Government Certification Authority (VCGA) website by adding a backdoor component to the installers for legitimate software, making it hard to detect.
(Read more)
SolarWinds
Attackers believed to be working for the government of Russia compromised the software build system for SolarWinds Orion Network Management System software and distributed malicious code in the form of a software update to around 18,000 customers. (Read more)
Able Desktop
Two different trojanized installers and a compromised system update were used to attack Able Desktop users. (Read more)
WIZVERA VeraPort
South Korean users of a trusted download verification tool were targeted, prompting a browser plugin to install malware with stolen authentic digital certificates. (Read more)
Twilio
Attackers exploited a misconfigured Amazon S3 bucket used to serve Twilio’s TaskRouter JS SDK, inserting a malicious version that was served to customers for around 8 hours. (Read more)
Nano X Wallet
Attackers tampered with the software of the Nano X Wallet prior to the user accessing it, allowing malicious actors to take control of computer systems connected to one of these wallets. (Read more)
Aisino
Aisino’s tax software was used as a backdoor to gain access to the networks of foreign firms doing business with a Chinese bank. (Read more)
NetBeans
The Octopus Scanner attackers made GitHub repositories actively serve malware, which was designed to insert a malicious backdoor into NetBeans projects. (Read more)
Phones Contain Chinese Malware
The Unimax (UMX) U686CL was given to Americans with low-incomes as part of a government program, but the phones had pre-installed apps that were malicious, including an app that was a variant of the Adups malware. (Read more)
Agma
Attackers inserted a malicious package into the build chain for Agama via npm with the intent of stealing the wallet seeds and other login passphrases used within the Agama application. (Read more)
Operation ShadowHammer
A trojanized ASUS Live Updater file (setup.exe) which contained a digital signature of ASUSTeK Computer Inc was used to target a list of 600 targets (identified by unique MAC addresses) globally. (Read more)
Copay
Attackers injected malicious code into the Node.js Javascript software package, resulting in the theft of cryptocurrency from Copay wallets. (Read more)
PyPI Crypto Miner
A malicious package able to deliver a crypto miner was uploaded to the official repository for the Python programming language.
(Read more)
VestaCP
Attackers compromised VestaCP servers and used the access to make malicious changes to an installer that was ready for download. (Read more)
PDF Editor
Attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload. (Read more)
Browsealoud
A third party WordPress accessibility plugin called ‘Browsealoud’ had their servers compromised, which resulted in over 4,000 websites serving up crypto mining malware.
(Read more)
CCleaner
Hackers compromised the Piriform CCleaner software’s development and distribution systems, which contaminated millions of CCleaner downloads with malicious software. (Read more)
NotPetya
A compromise of the software update infrastructure of ME Doc resulted in the NotPetya wiper malware being delivered to more than 12,000 systems in Ukraine and 80 victim organizations in 64 countries. (Read more)
Kingslayer
Altair Technologies was the victim of backdoor malware inserted into one of its products in 2015.
(Read more)
SimDisk/Songsari
The attackers used the auto-update mechanism of a file-sharing and storage application known as SimDisk, in conjunction with taking advantage of Songsari.
(Read more)
Flame Malware Collision
An attacker used a digital certificate to insert malware into Microsoft’s Terminal Services licensing system’s enrollment process for certificates.
(Read more)
Trans-Siberian Pipeline
An alleged CIA operation to pass compromised ICS software to Russian intelligence results in a massive explosion in Siberia.
(Read more)
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial