SSCS attacks: A (partial) history

The Sunburst hack of SolarWinds put software supply chain attacks on everyone’s radar. But they aren’t new. Here’s an abbreviated history of key attacks and compromises.

paul roberts headshot black and white
Paul Roberts, Director of Content and Editorial at RLPaul Roberts
collage of historical pictures and artifacts

The widespread campaign of software supply chain hacks that were behind the attack on SolarWinds began in 2020, and unofficially elevated software supply chain security to the top echelon of cyber risks to both government and the private sector. Subsequent events, like the emergence of the Log4Shell vulnerability in the Log4j2 open source library, underscored that software supply chain risk is for real.

However, if you are thinking that supply chain threats and attacks as a new problem plaguing software producers and their customers, you are wrong. In fact, software supply chain attacks have been with us for years — decades even — though they haven’t always demanded the kind of attention and response they now receive.

Below is a list of known software supply chain attacks, compiled from public records and reporting. This list is — of course — incomplete. First: it is likely that there have been attacks in which the details have not been made public. Second, these attacks are happening all the time, making any accounting incomplete. Finally, opinions on what constitutes a software supply chain attack can differ from expert to expert.

Special Report: The State of Software Supply Chain Security (SSCS) 2024Download Report: State of SSCS

A chronology of software supply chain attacks

Below is a list of known (documented, reported) attacks involving compromises of software supply chains (from latest to oldest).

  1. December 2023 Global

    Malware leveraging public infrastructure

    ReversingLabs researchers discovered two novel pieces of malware leveraging GitHub: one abusing GitHub Gists, the other issuing commands through git commit messages. (Read more)

  2. December 2023 Global

    Hackers exploit JetBrains vulnerability

    A Russian Foreign Intelligence Service-backed group known as CozyBear infiltrated JetBrains TeamCity servers via a critical vulnerability in the company’s software. (Read more)

  3. November 2023 Israel and Russia

    Protestware on npm

    ReversingLabs researchers discovered npm packages that hide scripts broadcasting messages of peace related to the conflicts in both Ukraine and in Israel and the Gaza Strip. (Read more)

  4. October 2023 Global

    IAmReboot

    ReversingLabs researchers identified additional packages as part of a malicious campaign on NuGet, first discovered by Phylum, that exploited a loophole in NuGet’s MSBuild integrations feature.
    (Read more)

  5. October 2023 Global

    Typosquatting delivers r77 rootkit

    ReversingLabs discovered that one “s” was all that separated a legitimate npm package from a malicious twin, node-hide-console-windows, that delivered the r77 rootkit. (Read more)

  6. August 2023 Global

    Fake Roblox packages

    ReversingLabs researchers discovered more than a dozen malicious packages targeting Roblox API users on the npm repository, and several of them placed Luna Grabber, an infostealer, on infected systems. (Read more)

  7. August 2023 Global

    VMConnect

    ReversingLabs researchers discovered a malicious campaign on PyPI consisting of over two dozen packages that mimic popular open-source Python tools, and further digging uncovered that the campaign can be attributed to an offshoot of the Lazarus threat group. (Read more)

  8. July 2023 Global

    Attacks on the Banking Sector

    Researchers at Checkmarx discovered what they believe to be the first set of open-source software supply chain attacks specifically targeting the banking sector, which all took place on npm. (Read more)

  9. July 2023 Global

    Operation Brainleeches

    ReversingLabs researchers discovered what may be the first “dual-use” campaign on npm, with over a dozen malicious packages targeting application end users with software supply chain compromises, as well as supporting email phishing campaigns aimed at Microsoft 365 users. (Read more)

  10. June 2023 Global

    Jumpcloud

    Phylum researchers first identified a malicious package on npm that is believed to be the precursor to a software supply chain attack on IT management firm JumpCloud, and ReversingLabs researchers later discovered more malicious packages on npm related to the campaign. (Read more)

  11. June 2023 Global

    MOVEit

    Progress Software’s MOVEit file transfer management program was compromised, and the breach has impacted more than 600 organizations worldwide, making it one of the most significant supply chain attacks to date. (Read more)

  12. June 2023 Global

    Taking advantage of PYC file direct

    Researchers at RL discovered a novel attack that used compiled Python code to evade detection in which the attackers took advantage of the fact that Python byte code (PYC) files can be directly executed. (Read more)

  13. May 2023 Global

    TurkoRat

    ReversingLabs researchers discovered two malicious packages on npm that contained TurkoRat, an open source infostealer.
    (Read more)

  14. April 2023 Global

    Repurposed Package Names

    ReversingLabs researchers discovered a malicious package on PyPI named termcolour that delivers a three-stage downloader. The attackers repurposed an old package name to more easily distribute the malicious code. (Read more)

  15. March 2023 Global

    3CXDesktopApp

    3CX, an enterprise voice over IP solution, released a version of its 3CX Desktop App, which was compromised with malicious code during the software package’s build stage. (Read more)

  16. March 2023 Global

    OpenAI Breach

    OpenAI suffered a data breach that impacted ChatGPT Plus subscribers, which was tied to a bug in an open-source library that allowed some users to see titles from other users’ chat histories. (Read more)

  17. February 2023 Global

    Imposter HTTP libraries

    Researchers at ReversingLabs discovered an increase in malicious HTTP libraries on PyPI, which are not really HTTP libraries, but rather are simple, malicious packages that utilize the “HTTP” name.
    (Read more)

  18. February 2023 Global

    Aabquerys

    ReversingLabs researchers discovered a malicious, typosquatted npm package, identified as aabquerys, which downloaded second and third stage malware payloads to systems that ran the package. (Read more)

  19. January 2023 Global

    VSCode Marketplace

    Aqua discovered “several malicious extensions” for the Visual Studio Code integrated development environment (IDE) on the VSCode Marketplace, including the API Generator plugin and another dubbed code-tester. (Read more)

  20. December 2022 Global

    PyTorch

    PyTorch-nightly contained a compromised dependency, known as torchtriton, that originated from the PyPI open source repository and contained a malicious binary, making it a supply chain attack. (Read more)

  21. December 2022 Global

    SentinelSneak

    ReversingLabs researchers discovered a malicious Python package posing as a legitimate software development kit (SDK) that contained a malicious backdoor designed to avoid detection. (Read more)

  22. December 2022 Israel, Hong Kong, South Korea

    Fantasy Wiper

    An Iranian APT hacking group known as Agrius used a never-before-seen ‘Fantasy’ data wiper in multiple supply chain attacks between February - March 2022, and was discovered by researchers at ESET in December 2022.
    (Read more)

  23. November 2022 Global

    SocGhoulish

    Threat actor TA569 compromised the codebase of an application used to serve video and advertising to national and regional newspaper websites by spreading the SocGhoulish malware. (Read more)

  24. October 2022 Global

    W4SP Infostealer

    Researchers at Phylum discovered more than a dozen PyPI packages that were modified to install the W4SP information stealer onto Python developers’ machines via a malicious _import_. (Read more)

  25. August 2022 Global

    PyPI-based Attack

    A PyPI package, secretslib, claimed to perform secrets matching and verification, but covertly ran cryptominers in memory on the Linux machines on which it is installed. (Read more)

  26. August 2022 Global

    Npm-based Attack

    Researchers at Sonatype identified 186 malicious npm packages that impersonated the heavily used QT and React JavaScript libraries. (Read more)

  27. July 2022 Global

    IconBust

    ReversingLabs researchers identified more than two dozen npm packages, dating back six months, that contained obfuscated Javascript, with jQuery scripts designed to steal form data from deployed applications. (Read more)

  28. March 2022 Global

    Developer Sabotages Computers out of Protest

    Brandon Nozaki Miller, the developer of node.ipc, pushed an update of his popular open source library that sabotaged computers in Russia and Belarus in retaliation for Russia’s invasion of Ukraine.
    (Read more)

  29. March 2022 South Korea

    Lapsus$ Attacks Samsung

    The Lapsus$ hacking group leveraged Samsung insiders to obtain VPN and virtual desktop credentials, then published approximately 200 GB of internal source code online, including software keys. (Read More)

  30. January 2022 Global

    Maintainer Sabotages Libraries Out of Protest

    In an act of protest against corporations exploiting open source projects, npm libraries “colors” and “faker” were sabotaged by their maintainer, Marak Squires. (Read more)

  31. November 2021 Global

    Npm packages hijacked

    The incident involved an npm account takeover causing the ‘coa’ and ‘rc’ packages to become hijacked in an effort to spread malware. (Read more)

  32. September 2021 Global

    MISO Cryptocurrency

    SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply chain attack in which a malicious code commit was made to the platform’s private GitHub repository. (Read more)

  33. July 2021 Global

    SYNNEX

    SYNNEX, a technology distributor, had its systems and Microsoft accounts attacked, which caused the Republican National Committee (one of its clients) to have a security incident. (Read more)

  34. July 2021 Global

    MonPass

    The certificate authority MonPass was compromised with backdoors and webshells placed on a public server hosted by the company. (Read more)

  35. June 2021 Global

    Myanmar Presidential Website

    A threat actor injected malware inside a localized Myanmar font package available for download on the website’s front page.
    (Read more)

  36. April 2021 United States

    CodeCov

    Attackers compromised Bash Uploader, a software development tool and used it to gain restricted access to hundreds of networks belonging to the San Francisco firm's customers. (Read more)

  37. April 2021 Australia

    Passwordstate

    Passwordstate is a password manager that was hit with an attack in which the attackers compromised the website’s software update feature to deliver a malicious update to any customer that updated the system within a specific timeframe. (Read more)

  38. March 2021 United States

    XcodeSpy

    Xcode is an application development environment created by Apple that allows developers to create apps for any iOS device, and XcodeSpy is the malicious project targeting these iOS developers by installing a backdoor on the developer’s computer. (Read more)

  39. February 2021 Global

    Researcher Hacks Big Tech

    Researcher Alex Birsan managed to breach over 35 major companies' internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel dependency confusion supply chain attack. (Read more)

  40. February 2021 Hong Kong

    NoxPlayer

    Attackers compromised the update mechanism of  NoxPlayer, an  Android emulator for  PCs and Macs produced by the Hong Kong based firm BigNox, to deliver malware to victims. (Read more)

  41. January 2021 Global

    Stock Investors Targeted

    The North Korean APT group known as Thallium exploited the legitimate installer of the stock investment platform by injecting specific commands that fetched a malicious XSL script from a rogue FTP server, and executed it on Windows systems via the in-built wmic.exe utility. (Read more)

  42. January 2021 United Kingdom

    Mimecast

    A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services was compromised by a threat actor. (Read more)

  43. December 2020 Vietnam

    SignSight

    Attackers compromised the Vietnam Government Certification Authority (VCGA) website by adding a backdoor component to the installers for legitimate software, making it hard to detect.
    (Read more)

  44. December 2020 United States

    SolarWinds

    Attackers believed to be working for the government of Russia compromised the software build system for SolarWinds Orion Network Management System software and distributed malicious code in the form of a software update to around 18,000 customers. (Read more)

  45. December 2020 Mongolia

    Able Desktop

    Two different trojanized installers and a compromised system update were used to attack Able Desktop users. (Read more)

  46. November 2020 South Korea

    WIZVERA VeraPort

    South Korean users of a trusted download verification tool were targeted, prompting a browser plugin to install malware with stolen authentic digital certificates. (Read more)

  47. July 2020 United States

    Twilio

    Attackers exploited a misconfigured Amazon S3 bucket used to serve Twilio’s TaskRouter JS SDK, inserting a malicious version that was served to customers for around 8 hours. (Read more)

  48. July 2020 Global

    Nano X Wallet

    Attackers tampered with the software of the Nano X Wallet prior to the user accessing it, allowing malicious actors to take control of computer systems connected to one of these wallets. (Read more)

  49. July 2020 Global

    Aisino

    Aisino’s tax software was used as a backdoor to gain access to the networks of foreign firms doing business with a Chinese bank. (Read more)

  50. May 2020 Global

    NetBeans

    The Octopus Scanner attackers made GitHub repositories actively serve malware, which was designed to insert a malicious backdoor into NetBeans projects. (Read more)

  51. January 2020 United States

    Phones Contain Chinese Malware

    The Unimax (UMX) U686CL was given to Americans with low-incomes as part of a government program, but the phones had pre-installed apps that were malicious, including an app that was a variant of the Adups malware. (Read more)

  52. June 2019 United States

    Agma

    Attackers inserted a malicious package into the build chain for Agama via npm with the intent of stealing the wallet seeds and other login passphrases used within the Agama application. (Read more)

  53. April 2019 Taiwan

    Operation ShadowHammer

    A trojanized ASUS Live Updater file (setup.exe) which contained a digital signature of ASUSTeK Computer Inc was used to target a list of 600 targets (identified by unique MAC addresses) globally. (Read more)

  54. November 2018 United States

    Copay

    Attackers injected malicious code into the Node.js Javascript software package, resulting in the theft of cryptocurrency from Copay wallets. (Read more)

  55. October 2018 Global

    PyPI Crypto Miner

    A malicious package able to deliver a crypto miner was uploaded to the official repository for the Python programming language.
    (Read more)

  56. October 2018 Global

    VestaCP

    Attackers compromised VestaCP servers and used the access to make malicious changes to an installer that was ready for download. (Read more)

  57. July 2018 Global

    PDF Editor

    Attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload. (Read more)

  58. February 2018 Global

    Browsealoud

    A third party WordPress accessibility plugin called ‘Browsealoud’ had their servers compromised, which resulted in over 4,000 websites serving up crypto mining malware.
    (Read more)

  59. September 2017 United Kingdom

    CCleaner

    Hackers compromised the Piriform CCleaner software’s development and distribution systems, which contaminated millions of CCleaner downloads with malicious software. (Read more)

  60. July 2017 Ukraine

    NotPetya

    A compromise of the software update infrastructure of ME Doc resulted in the NotPetya wiper malware being delivered to more than 12,000 systems in Ukraine and 80 victim organizations in 64 countries. (Read more)

  61. February 2017 Canada

    Kingslayer

    Altair Technologies was the victim of backdoor malware inserted into one of its products in 2015.
    (Read more)

  62. July 2013 South Korea

    SimDisk/Songsari

    The attackers used the auto-update mechanism of a file-sharing and storage application known as SimDisk, in conjunction with taking advantage of Songsari.
    (Read more)

  63. June 2012 Global

    Flame Malware Collision

    An attacker used a digital certificate to insert malware into Microsoft’s Terminal Services licensing system’s enrollment process for certificates.
    (Read more)

  64. October 1982 Siberia

    Trans-Siberian Pipeline

    An alleged CIA operation to pass compromised ICS software to Russian intelligence results in a massive explosion in Siberia.
    (Read more)

Back to Top