The widespread campaign of software supply chain hacks that were behind the attack on SolarWinds began in 2020, and unofficially elevated software supply chain security to the top echelon of cyber risks to both government and the private sector. Subsequent events, like the emergence of the Log4Shell vulnerability in the Log4j2 open source library, underscored that software supply chain risk is for real.
However, if you are thinking that supply chain threats and attacks as a new problem plaguing software producers and their customers, you are wrong. In fact, software supply chain attacks have been with us for years — decades even — though they haven’t always demanded the kind of attention and response they now receive.
Below is a list of known software supply chain attacks, compiled from public records and reporting. This list is — of course — incomplete. First: it is likely that there have been attacks in which the details have not been made public. Second, these attacks are happening all the time, making any accounting incomplete. Finally, opinions on what constitutes a software supply chain attack can differ from expert to expert.
[ Special Report: The State of Software Supply Chain Security (SSCS) 2024 | Download Report: State of SSCS ]
A chronology of software supply chain attacks
Below is a list of known (documented, reported) attacks involving compromises of software supply chains (from latest to oldest).
December 2023
Global
Malware leveraging public infrastructure
ReversingLabs researchers discovered two novel pieces of malware leveraging GitHub: one abusing GitHub Gists, the other issuing commands through git commit messages. (Read more)
December 2023
Global
Hackers exploit JetBrains vulnerability
A Russian Foreign Intelligence Service-backed group known as CozyBear infiltrated JetBrains TeamCity servers via a critical vulnerability in the company’s software. (Read more)
November 2023 Israel and Russia
Protestware on npm
ReversingLabs researchers discovered npm packages that hide scripts broadcasting messages of peace related to the conflicts in both Ukraine and in Israel and the Gaza Strip. (Read more)
October 2023
Global
IAmReboot
ReversingLabs researchers identified additional packages as part of a malicious campaign on NuGet, first discovered by Phylum, that exploited a loophole in NuGet’s MSBuild integrations feature.
(Read more)
October 2023
Global
Typosquatting delivers r77 rootkit
ReversingLabs discovered that one “s” was all that separated a legitimate npm package from a malicious twin, node-hide-console-windows, that delivered the r77 rootkit. (Read more)
August 2023
Global
Fake Roblox packages
ReversingLabs researchers discovered more than a dozen malicious packages targeting Roblox API users on the npm repository, and several of them placed Luna Grabber, an infostealer, on infected systems. (Read more)
August 2023
Global
VMConnect
ReversingLabs researchers discovered a malicious campaign on PyPI consisting of over two dozen packages that mimic popular open-source Python tools, and further digging uncovered that the campaign can be attributed to an offshoot of the Lazarus threat group. (Read more)
July 2023
Global
Attacks on the Banking Sector
Researchers at Checkmarx discovered what they believe to be the first set of open-source software supply chain attacks specifically targeting the banking sector, which all took place on npm. (Read more)
July 2023
Global
Operation Brainleeches
ReversingLabs researchers discovered what may be the first “dual-use” campaign on npm, with over a dozen malicious packages targeting application end users with software supply chain compromises, as well as supporting email phishing campaigns aimed at Microsoft 365 users. (Read more)
June 2023
Global
Jumpcloud
Phylum researchers first identified a malicious package on npm that is believed to be the precursor to a software supply chain attack on IT management firm JumpCloud, and ReversingLabs researchers later discovered more malicious packages on npm related to the campaign. (Read more)
June 2023
Global
MOVEit
Progress Software’s MOVEit file transfer management program was compromised, and the breach has impacted more than 600 organizations worldwide, making it one of the most significant supply chain attacks to date. (Read more)
June 2023
Global
Taking advantage of PYC file direct
Researchers at RL discovered a novel attack that used compiled Python code to evade detection in which the attackers took advantage of the fact that Python byte code (PYC) files can be directly executed. (Read more)
May 2023
Global
TurkoRat
ReversingLabs researchers discovered two malicious packages on npm that contained TurkoRat, an open source infostealer.
(Read more)
April 2023
Global
Repurposed Package Names
ReversingLabs researchers discovered a malicious package on PyPI named termcolour that delivers a three-stage downloader. The attackers repurposed an old package name to more easily distribute the malicious code. (Read more)
March 2023
Global
3CXDesktopApp
3CX, an enterprise voice over IP solution, released a version of its 3CX Desktop App, which was compromised with malicious code during the software package’s build stage. (Read more)
March 2023
Global
OpenAI Breach
OpenAI suffered a data breach that impacted ChatGPT Plus subscribers, which was tied to a bug in an open-source library that allowed some users to see titles from other users’ chat histories. (Read more)
February 2023
Global
Imposter HTTP libraries
Researchers at ReversingLabs discovered an increase in malicious HTTP libraries on PyPI, which are not really HTTP libraries, but rather are simple, malicious packages that utilize the “HTTP” name.
(Read more)
February 2023
Global
Aabquerys
ReversingLabs researchers discovered a malicious, typosquatted npm package, identified as aabquerys, which downloaded second and third stage malware payloads to systems that ran the package. (Read more)
January 2023
Global
VSCode Marketplace
Aqua discovered “several malicious extensions” for the Visual Studio Code integrated development environment (IDE) on the VSCode Marketplace, including the API Generator plugin and another dubbed code-tester. (Read more)
December 2022
Global
PyTorch
PyTorch-nightly contained a compromised dependency, known as torchtriton, that originated from the PyPI open source repository and contained a malicious binary, making it a supply chain attack. (Read more)
December 2022
Global
SentinelSneak
ReversingLabs researchers discovered a malicious Python package posing as a legitimate software development kit (SDK) that contained a malicious backdoor designed to avoid detection. (Read more)
December 2022 Israel, Hong Kong, South Korea
Fantasy Wiper
An Iranian APT hacking group known as Agrius used a never-before-seen ‘Fantasy’ data wiper in multiple supply chain attacks between February - March 2022, and was discovered by researchers at ESET in December 2022.
(Read more)
November 2022
Global
SocGhoulish
Threat actor TA569 compromised the codebase of an application used to serve video and advertising to national and regional newspaper websites by spreading the SocGhoulish malware. (Read more)
October 2022
Global
W4SP Infostealer
Researchers at Phylum discovered more than a dozen PyPI packages that were modified to install the W4SP information stealer onto Python developers’ machines via a malicious _import_. (Read more)
August 2022
Global
PyPI-based Attack
A PyPI package, secretslib, claimed to perform secrets matching and verification, but covertly ran cryptominers in memory on the Linux machines on which it is installed. (Read more)
August 2022
Global
Npm-based Attack
Researchers at Sonatype identified 186 malicious npm packages that impersonated the heavily used QT and React JavaScript libraries. (Read more)
July 2022
Global
IconBust
ReversingLabs researchers identified more than two dozen npm packages, dating back six months, that contained obfuscated Javascript, with jQuery scripts designed to steal form data from deployed applications. (Read more)
March 2022
Global
Developer Sabotages Computers out of Protest
Brandon Nozaki Miller, the developer of node.ipc, pushed an update of his popular open source library that sabotaged computers in Russia and Belarus in retaliation for Russia’s invasion of Ukraine.
(Read more)
March 2022
South Korea
Lapsus$ Attacks Samsung
The Lapsus$ hacking group leveraged Samsung insiders to obtain VPN and virtual desktop credentials, then published approximately 200 GB of internal source code online, including software keys. (Read More)
January 2022
Global
Maintainer Sabotages Libraries Out of Protest
In an act of protest against corporations exploiting open source projects, npm libraries “colors” and “faker” were sabotaged by their maintainer, Marak Squires. (Read more)
November 2021
Global
Npm packages hijacked
The incident involved an npm account takeover causing the ‘coa’ and ‘rc’ packages to become hijacked in an effort to spread malware. (Read more)
September 2021
Global
MISO Cryptocurrency
SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply chain attack in which a malicious code commit was made to the platform’s private GitHub repository. (Read more)
July 2021
Global
SYNNEX
SYNNEX, a technology distributor, had its systems and Microsoft accounts attacked, which caused the Republican National Committee (one of its clients) to have a security incident. (Read more)
July 2021
Global
MonPass
The certificate authority MonPass was compromised with backdoors and webshells placed on a public server hosted by the company. (Read more)
June 2021
Global
Myanmar Presidential Website
A threat actor injected malware inside a localized Myanmar font package available for download on the website’s front page.
(Read more)
April 2021
United States
CodeCov
Attackers compromised Bash Uploader, a software development tool and used it to gain restricted access to hundreds of networks belonging to the San Francisco firm's customers. (Read more)
April 2021
Australia
Passwordstate
Passwordstate is a password manager that was hit with an attack in which the attackers compromised the website’s software update feature to deliver a malicious update to any customer that updated the system within a specific timeframe. (Read more)
March 2021
United States
XcodeSpy
Xcode is an application development environment created by Apple that allows developers to create apps for any iOS device, and XcodeSpy is the malicious project targeting these iOS developers by installing a backdoor on the developer’s computer. (Read more)
February 2021
Global
Researcher Hacks Big Tech
Researcher Alex Birsan managed to breach over 35 major companies' internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel dependency confusion supply chain attack. (Read more)
February 2021
Hong Kong
NoxPlayer
Attackerscompromised the update mechanism of NoxPlayer, an Android emulator for PCs and Macs produced by the Hong Kong based firm BigNox, to deliver malware to victims. (Read more)
January 2021
Global
Stock Investors Targeted
The North Korean APT group known as Thallium exploited the legitimate installer of the stock investment platform by injecting specific commands that fetched a malicious XSL script from a rogue FTP server, and executed it on Windows systems via the in-built wmic.exe utility. (Read more)
January 2021
United Kingdom
Mimecast
A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services was compromised by a threat actor. (Read more)
December 2020
Vietnam
SignSight
Attackers compromised the Vietnam Government Certification Authority (VCGA) website by adding a backdoor component to the installers for legitimate software, making it hard to detect.
(Read more)
December 2020
United States
SolarWinds
Attackers believed to be working for the government of Russia compromised the software build system for SolarWinds Orion Network Management System software and distributed malicious code in the form of a software update to around 18,000 customers. (Read more)
December 2020
Mongolia
Able Desktop
Two different trojanized installers and a compromised system update were used to attack Able Desktop users. (Read more)
November 2020
South Korea
WIZVERA VeraPort
South Korean users of a trusted download verification tool were targeted, prompting a browser plugin to install malware with stolen authentic digital certificates. (Read more)
July 2020
United States
Twilio
Attackers exploited a misconfigured Amazon S3 bucket used to serve Twilio’s TaskRouter JS SDK, inserting a malicious version that was served to customers for around 8 hours. (Read more)
July 2020
Global
Nano X Wallet
Attackers tampered with the software of the Nano X Wallet prior to the user accessing it, allowing malicious actors to take control of computer systems connected to one of these wallets. (Read more)
July 2020
Global
Aisino
Aisino’s tax software was used as a backdoor to gain access to the networks of foreign firms doing business with a Chinese bank. (Read more)
May 2020
Global
NetBeans
The Octopus Scanner attackers made GitHub repositories actively serve malware, which was designed to insert a malicious backdoor into NetBeans projects. (Read more)
January 2020
United States
Phones Contain Chinese Malware
The Unimax (UMX) U686CL was given to Americans with low-incomes as part of a government program, but the phones had pre-installed apps that were malicious, including an app that was a variant of the Adups malware. (Read more)
June 2019
United States
Agma
Attackers inserted a malicious package into the build chain for Agama via npm with the intent of stealing the wallet seeds and other login passphrases used within the Agama application. (Read more)
April 2019
Taiwan
Operation ShadowHammer
A trojanized ASUS Live Updater file (setup.exe) which contained a digital signature of ASUSTeK Computer Inc was used to target a list of 600 targets (identified by unique MAC addresses) globally. (Read more)
November 2018
United States
Copay
Attackers injected malicious code into the Node.js Javascript software package, resulting in the theft of cryptocurrency from Copay wallets. (Read more)
October 2018
Global
PyPI Crypto Miner
A malicious package able to deliver a crypto miner was uploaded to the official repository for the Python programming language.
(Read more)
October 2018
Global
VestaCP
Attackers compromised VestaCP servers and used the access to make malicious changes to an installer that was ready for download. (Read more)
July 2018
Global
PDF Editor
Attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload. (Read more)
February 2018
Global
Browsealoud
A third party WordPress accessibility plugin called ‘Browsealoud’ had their servers compromised, which resulted in over 4,000 websites serving up crypto mining malware.
(Read more)
September 2017
United Kingdom
CCleaner
Hackers compromised the Piriform CCleaner software’s development and distribution systems, which contaminated millions of CCleaner downloads with malicious software. (Read more)
July 2017
Ukraine
NotPetya
A compromise of the software update infrastructure of ME Doc resulted in the NotPetya wiper malware being delivered to more than 12,000 systems in Ukraine and 80 victim organizations in 64 countries. (Read more)
February 2017
Canada
Kingslayer
Altair Technologies was the victim of backdoor malware inserted into one of its products in 2015.
(Read more)
July 2013
South Korea
SimDisk/Songsari
The attackers used the auto-update mechanism of a file-sharing and storage application known as SimDisk, in conjunction with taking advantage of Songsari.
(Read more)
June 2012
Global
Flame Malware Collision
An attacker used a digital certificate to insert malware into Microsoft’s Terminal Services licensing system’s enrollment process for certificates.
(Read more)
October 1982 Siberia
Trans-Siberian Pipeline
An alleged CIA operation to pass compromised ICS software to Russian intelligence results in a massive explosion in Siberia.
(Read more)
