<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">
RL Blog

A (partial) history of software supply chain attacks

The Sunburst hack of SolarWinds put supply chain attacks on everyone’s radar. But they aren’t new. Here’s an abbreviated history of key supply chain attacks and compromises.

Paul Roberts
Blog Author

Paul Roberts, Content Lead at ReversingLabs.

A (Partial) History of Software Supply Chain Attacks

The widespread campaign of software supply chain hacks that were behind the attack on SolarWinds began in 2020, and unofficially elevated software supply chain security to the top echelon of cyber risks to both government and the private sector. Subsequent events, like the emergence of the Log4Shell vulnerability in the Log4j2 open source library, underscored that software supply chain risk is for real.

However, if you are thinking that supply chain threats and attacks as a new problem plaguing software producers and their customers, you are wrong. In fact, software supply chain attacks have been with us for years — decades even — though they haven’t always demanded the kind of attention and response they now receive.

Below is a list of known software supply chain attacks, compiled from public records and reporting. This list is — of course — incomplete. First: it is likely that there have been supply chain attacks in which the details have not been made public. Second, these attacks are happening all the time, making any accounting of software supply chain attacks incomplete. Finally, opinions on what constitutes a software supply chain attack can differ from expert to expert. 

[ Special Report: The State of Software Supply Chain Security (SSCS) 2024 | Download Report: State of SSCS ]

A chronology of software supply chain attacks

Below is a list of known (documented, reported) attacks involving compromises of software supply chains (from latest to oldest). 


December 2023 Global

Malware leveraging public infrastructure

ReversingLabs researchers discovered two novel pieces of malware leveraging GitHub: one abusing GitHub Gists, the other issuing commands through git commit messages. (Read more)

December 2023 Global

Hackers exploit JetBrains vulnerability

A Russian Foreign Intelligence Service-backed group known as CozyBear infiltrated JetBrains TeamCity servers via a critical vulnerability in the company’s software. (Read more)

November 2023 Israel and Russia

Protestware on npm

ReversingLabs researchers discovered npm packages that hide scripts broadcasting messages of peace related to the conflicts in both Ukraine and in Israel and the Gaza Strip. (Read more)

October 2023 Global


ReversingLabs researchers identified additional packages as part of a malicious campaign on NuGet, first discovered by Phylum, that exploited a loophole in NuGet’s MSBuild integrations feature.
(Read more)

October 2023 Global

Typosquatting delivers r77 rootkit

ReversingLabs discovered that one “s” was all that separated a legitimate npm package from a malicious twin, node-hide-console-windows, that delivered the r77 rootkit. (Read more)

August 2023 Global

Fake Roblox packages

ReversingLabs researchers discovered more than a dozen malicious packages targeting Roblox API users on the npm repository, and several of them placed Luna Grabber, an infostealer, on infected systems. (Read more)

August 2023 Global


ReversingLabs researchers discovered a malicious campaign on PyPI consisting of over two dozen packages that mimic popular open-source Python tools, and further digging uncovered that the campaign can be attributed to an offshoot of the Lazarus threat group. (Read more)

July 2023 Global

Attacks on the Banking Sector

Researchers at Checkmarx discovered what they believe to be the first set of open-source software supply chain attacks specifically targeting the banking sector, which all took place on npm. (Read more)

July 2023 Global

Operation Brainleeches

ReversingLabs researchers discovered what may be the first “dual-use” campaign on npm, with over a dozen malicious packages targeting application end users with software supply chain compromises, as well as supporting email phishing campaigns aimed at Microsoft 365 users. (Read more)

June 2023 Global


Phylum researchers first identified a malicious package on npm that is believed to be the precursor to a software supply chain attack on IT management firm JumpCloud, and ReversingLabs researchers later discovered more malicious packages on npm related to the campaign. (Read more)

June 2023 Global


Progress Software’s MOVEit file transfer management program was compromised, and the breach has impacted more than 600 organizations worldwide, making it one of the most significant supply chain attacks to date. (Read more)

June 2023 Global

Taking advantage of PYC file direct

Researchers at RL discovered a novel attack that used compiled Python code to evade detection in which the attackers took advantage of the fact that Python byte code (PYC) files can be directly executed. (Read more)

May 2023 Global


ReversingLabs researchers discovered two malicious packages on npm that contained TurkoRat, an open source infostealer.
(Read more)

April 2023 Global

Repurposed Package Names

ReversingLabs researchers discovered a malicious package on PyPI named termcolour that delivers a three-stage downloader. The attackers repurposed an old package name to more easily distribute the malicious code. (Read more)

March 2023 Global


3CX, an enterprise voice over IP solution, released a version of its 3CX Desktop App, which was compromised with malicious code during the software package’s build stage. (Read more)

March 2023 Global

OpenAI Breach

OpenAI suffered a data breach that impacted ChatGPT Plus subscribers, which was tied to a bug in an open-source library that allowed some users to see titles from other users’ chat histories. (Read more)

February 2023 Global

Imposter HTTP libraries

Researchers at ReversingLabs discovered an increase in malicious HTTP libraries on PyPI, which are not really HTTP libraries, but rather are simple, malicious packages that utilize the “HTTP” name.
(Read more)

February 2023 Global


ReversingLabs researchers discovered a malicious, typosquatted npm package, identified as aabquerys, which downloaded second and third stage malware payloads to systems that ran the package. (Read more)

January 2023 Global

VSCode Marketplace

Aqua discovered “several malicious extensions” for the Visual Studio Code integrated development environment (IDE) on the VSCode Marketplace, including the API Generator plugin and another dubbed code-tester. (Read more)

December 2022 Global


PyTorch-nightly contained a compromised dependency, known as torchtriton, that originated from the PyPI open source repository and contained a malicious binary, making it a supply chain attack. (Read more)

December 2022 Global


ReversingLabs researchers discovered a malicious Python package posing as a legitimate software development kit (SDK) that contained a malicious backdoor designed to avoid detection. (Read more)

December 2022 Israel, Hong Kong, South Korea

Fantasy Wiper

An Iranian APT hacking group known as Agrius used a never-before-seen ‘Fantasy’ data wiper in multiple supply chain attacks between February - March 2022, and was discovered by researchers at ESET in December 2022.
(Read more)

November 2022 Global


Threat actor TA569 compromised the codebase of an application used to serve video and advertising to national and regional newspaper websites by spreading the SocGhoulish malware. (Read more)

October 2022 Global

W4SP Infostealer

Researchers at Phylum discovered more than a dozen PyPI packages that were modified to install the W4SP information stealer onto Python developers’ machines via a malicious _import_. (Read more)

August 2022 Global

PyPI-based Attack

A PyPI package, secretslib, claimed to perform secrets matching and verification, but covertly ran cryptominers in memory on the Linux machines on which it is installed. (Read more)

August 2022 Global

Npm-based Attack

Researchers at Sonatype identified 186 malicious npm packages that impersonated the heavily used QT and React JavaScript libraries. (Read more)

July 2022 Global


ReversingLabs researchers identified more than two dozen npm packages, dating back six months, that contained obfuscated Javascript, with jQuery scripts designed to steal form data from deployed applications. (Read more)

March 2022 Global

Developer Sabotages Computers out of Protest

Brandon Nozaki Miller, the developer of node.ipc, pushed an update of his popular open source library that sabotaged computers in Russia and Belarus in retaliation for Russia’s invasion of Ukraine.
(Read more)

March 2022 South Korea

Lapsus$ Attacks Samsung

The Lapsus$ hacking group leveraged Samsung insiders to obtain VPN and virtual desktop credentials, then published approximately 200 GB of internal source code online, including software keys. (Read More)

January 2022 Global

Maintainer Sabotages Libraries Out of Protest

In an act of protest against corporations exploiting open source projects, npm libraries “colors” and “faker” were sabotaged by their maintainer, Marak Squires. (Read more)

November 2021 Global

Npm packages hijacked

The incident involved an npm account takeover causing the ‘coa’ and ‘rc’ packages to become hijacked in an effort to spread malware. (Read more)

September 2021 Global

MISO Cryptocurrency

SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply chain attack in which a malicious code commit was made to the platform’s private GitHub repository. (Read more)

July 2021 Global


SYNNEX, a technology distributor, had its systems and Microsoft accounts attacked, which caused the Republican National Committee (one of its clients) to have a security incident. (Read more)

July 2021 Global


The certificate authority MonPass was compromised with backdoors and webshells placed on a public server hosted by the company. (Read more)

June 2021 Global

Myanmar Presidential Website

A threat actor injected malware inside a localized Myanmar font package available for download on the website’s front page.
(Read more)

April 2021 United States


Attackers compromised Bash Uploader, a software development tool and used it to gain restricted access to hundreds of networks belonging to the San Francisco firm's customers. (Read more)

April 2021 Australia


Passwordstate is a password manager that was hit with an attack in which the attackers compromised the website’s software update feature to deliver a malicious update to any  customer that updated the system within a specific timeframe. (Read more)

March 2021 United States


Xcode is an application development environment created by Apple that allows developers to create apps for any iOS device, and XcodeSpy is the malicious project targeting these iOS developers by installing a backdoor on the developer’s computer. (Read more)

February 2021 Global

Researcher Hacks Big Tech

Researcher Alex Birsan managed to breach over 35 major companies' internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel dependency confusion supply chain attack. (Read more)

February 2021 Hong Kong



compromised the update mechanism of  NoxPlayer, an  Android emulator for  PCs and Macs produced by the Hong Kong based firm BigNox, to deliver malware to victims. (Read more)

January 2021 Global

Stock Investors Targeted

The North Korean APT group known as Thallium exploited the legitimate installer of the stock investment platform by injecting specific commands that fetched a malicious XSL script from a rogue FTP server, and executed it on Windows systems via the in-built wmic.exe utility. (Read more)

January 2021 United Kingdom


A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services was compromised by a threat actor. (Read more)

December 2020 Vietnam


Attackers compromised the Vietnam Government Certification Authority (VCGA) website by adding a backdoor component to the installers for legitimate software, making it hard to detect.
(Read more)

December 2020 United States


Attackers believed to be working for the government of Russia compromised the software build system for SolarWinds Orion Network Management System software and distributed malicious code in the form of a software update to around 18,000 customers. (Read more)

December 2020 Mongolia

Able Desktop

Two different trojanized installers and a compromised system update were used to attack Able Desktop users. (Read more)

November 2020 South Korea


South Korean users of a trusted download verification tool were targeted, prompting a browser plugin to install malware with stolen authentic digital certificates. (Read more)

July 2020 United States


Attackers exploited a misconfigured Amazon S3 bucket used to serve Twilio’s TaskRouter JS SDK, inserting a malicious version that was served to customers for around 8 hours. (Read more)

July 2020 Global

Nano X Wallet

Attackers tampered with the software of the Nano X Wallet prior to the user accessing it, allowing malicious actors to take control of computer systems connected to one of these wallets. (Read more)

July 2020 Global


Aisino’s tax software was used as a backdoor to gain access to the networks of foreign firms doing business with a Chinese bank. (Read more)

May 2020 Global


The Octopus Scanner attackers made GitHub repositories actively serve malware, which was designed to insert a malicious backdoor into NetBeans projects. (Read more)

January 2020 United States

Phones Contain Chinese Malware

The Unimax (UMX) U686CL was given to Americans with low-incomes as part of a government program, but the phones had pre-installed apps that were malicious, including an app that was a variant of the Adups malware. (Read more)

June 2019 United States


Attackers inserted a malicious package into the build chain for Agama via npm with the intent of stealing the wallet seeds and other login passphrases used within the Agama application. (Read more)

April 2019 Taiwan

Operation ShadowHammer

A trojanized ASUS Live Updater file (setup.exe) which contained a digital signature of ASUSTeK Computer Inc was used to target a list of 600 targets (identified by unique MAC addresses) globally. (Read more)

November 2018 United States


Attackers injected malicious code into the Node.js Javascript software package, resulting in the theft of cryptocurrency from Copay wallets. (Read more)

October 2018 Global

PyPI Crypto Miner

A malicious package able to deliver a crypto miner was uploaded to the official repository for the Python programming language.
(Read more)

October 2018 Global


Attackers compromised VestaCP servers and used the access to make malicious changes to an installer that was ready for download. (Read more)

July 2018 Global

PDF Editor

Attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload. (Read more)

February 2018 Global


A third party WordPress accessibility plugin called ‘Browsealoud’ had their servers compromised, which resulted in over 4,000 websites serving up crypto mining malware.
(Read more)

September 2017 United Kingdom


Hackers compromised the Piriform CCleaner software’s development and distribution systems, which contaminated millions of CCleaner downloads with malicious software. (Read more)

July 2017 Ukraine


A compromise of the software update infrastructure of ME Doc resulted in the NotPetya wiper malware being delivered to more than 12,000 systems in Ukraine and 80 victim organizations in 64 countries. (Read more)

February 2017 Canada


Altair Technologies was the victim of backdoor malware inserted into one of its products in 2015.
(Read more)

July 2013 South Korea


The attackers used the auto-update mechanism of a file-sharing and storage application known as SimDisk, in conjunction with taking advantage of Songsari.
(Read more)

June 2012 Global

Flame Malware Collision

An attacker used a digital certificate to insert malware into Microsoft’s Terminal Services licensing system’s enrollment process for certificates.
(Read more)

October 1982 Siberia

Trans-Siberian Pipeline

An alleged CIA operation to pass compromised ICS software to Russian intelligence results in a massive explosion in Siberia.
(Read more)


Keep learning

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts