This repository contains links to articles of software supply chain compromises. The goal is not to catalog every known supply chain attack, but rather to capture many examples of different kinds of attack, so that we can better understand the patterns and develop best practices and tools.
For definitions of each compromise type, please check out our compromise definitions page
We welcome additions to this catalog by filing an issue or github pull request
Contents of this repo and proposed additions are not a statement or opinion on the security stance and/or practices of a given project, of open source, or the community. These articles and stories annotate the communities dedication to rapid response, evolving security practices, transparent disclosure, and enforcement of one of open sources founding principles, "Linus's Law".
When submitting an addition, please review the definitions page to ensure the Type of Compromise on the details of the incidents as well as the Catalog itself are consistent. If a definition doesn't exist or a new type of compromise needs added, please include that as well.
| Name | Year | Type of compromise | Link |
|---|---|---|---|
| RubyGems Package Overwrite Flaw | 2022 | Publishing Infrastructure | 1 |
| Legitimate software update mechanism abused to deliver wiper malware | 2022 | Publishing Infrastructure | 1 |
| Docker Hub malicious containers | 2022 | Publishing Infrastructure | 1 |
| Chat100 live chat trojan | 2022 | Publishing Infrastructure | 1 |
| Dropbox GitHub compromise | 2022 | Attack Chaining | 1 |
| Intel Alder Lake BIOS leak | 2022 | Source Code | 1 |
| PEAR PHP Package Manager compromise | 2022 | Dev Tooling | 1 |
| npm Library ‘node-ipc’ Sabotaged with npm Library ‘peacenotwar’ in Protest by their Maintainer | 2022 | Malicious Maintainer | 1 |
| npm Libraries ‘colors’ and ‘faker’ Sabotaged in Protest by their Maintainer | 2022 | Malicious Maintainer | 1 |
| GCP Golang Buildpacks Old Compiler Injection | 2022 | Source Code | 1 |
| WordPress theme publisher compromised | 2022 | Source Code | 1, 2 |
| Remote code injection in Log4j | 2021 | Source code | 1 |
| Compromise of npm packages coa and rc | 2021 | Malicious Maintainer | 1 |
| Compromise of ua-parser-js | 2021 | Malicious Maintainer | 1 |
| The klow / klown / okhsa incident | 2021 | Negligence | 1 |
| PHP self-hosted git server | 2021 | Dev Tooling | 1 |
| Homebrew | 2021 | Dev Tooling | 1, 2 |
| Codecov | 2021 | Source Code | 1 |
| Repojacking exposed private repositories through supply-chain compromise | 2021 | Negligence | 1 |
| VSCode GitHub | 2021 | Dev Tooling | 1 |
| SUNBURST/SUNSPOT/Solarigate | 2020 | Publishing Infrastructure | 1, 2, 3 |
| The Great Suspender | 2020 | Malicious Maintainer | 1,2 |
| Abusing misconfigured SonarQube applications | 2020 | Dev Tooling | 1, 2 |
| Octopus Scanner | 2020 | Dev Tooling | 1,2 |
| NPM reverse shells and data mining | 2020 | Dev Tooling | 1 |
Binaries of the CLI for monero compromised |
2019 | Publishing Infrastructure | 1, 2, 3 |
| Webmin backdoor | 2019 | Dev Tooling | 1, 2 |
| purescript-npm | 2019 | Source Code | 1 and 2 |
| electron-native-notify | 2019 | Source Code | 1, 2 |
| PyPI typosquatting | 2019 | Negligence | 1 |
| ROS build farm compromise | 2019 | Trust and Signing Publishing Infrastructure |
1, 2 |
| ShadowHammer | 2019 | Attack Chaining | 1, 2 |
| PEAR Breach | 2019 | Publishing Infrastructure | 1, 2 |
| Canonical's GitHub org compromised | 2019 | Dev Tooling Source Code Publishing infrastructure |
1 |
| The event-stream vulnerability | 2018 | Malicious Maintainer | 1,2 |
| Dofoil | 2018 | Publishing Infrastructure | 1 |
| Operation Red | 2018 | Publishing Infrastructure | 1 |
| RCE in go get -u | 2018 | Dev Tooling | 1, 2 |
| acroread compromised in AUR | 2018 | Malicious Maintainer | 1, 2 |
| Gentoo Incident | 2018 | Source Code | 1 |
| Unnamed Maker | 2018 | Publishing Infrastructure | 1 |
| Colourama | 2018 | Negligence | 1, 2 |
| Foxif/CCleaner | 2017 | Publishing Infrastructure | 1 |
| HandBrake | 2017 | Publishing Infrastructure | 1 |
| Kingslayer | 2017 | Publishing Infrastructure | 1 |
| HackTask | 2017 | Negligence | 1 |
| NotPetya | 2017 | Attack Chaining | 1 |
| Bitcoin Gold | 2017 | Source Code | 1 |
| ExpensiveWall | 2017 | Dev Tooling | 1, 2 |
| OSX Elmedia player | 2017 | Publishing infrastructure | 1 |
| GitHub password recovery issues | 2016 | Dev Tool Source Code |
1, 2 |
| keydnap | 2016 | Publishing infrastructure | 1, 2 |
| Fosshub Breach | 2016 | Publishing infrastructure | 1, 2 |
| Linux Mint | 2016 | Publishing infrastructure | 1 |
| Juniper Incident | 2015 | Source Code | 1 |
| XCodeGhost | 2015 | Fake toolchain | 1 |
| Ceph and Inktank | 2015 | Source Code Publishing infrastructure |
1 |
| Code Spaces | 2014 | Source Code | 1 |
| Monju Incident | 2014 | Publishing infrastructure | 1 |
| APT lack of validation for source packages | 2013 | Negligence | 1 |
| kernel.org compromise | 2011 | Publishing infrastructure | 1, 2 |
| apache.org incident | 2010 | Attack Chaining | 1 |
| Operation Aurora | 2010 | Watering-hole attack | 1 |
| ProFTPD | 2010 | Source Code | 1 |
| WordPress backdoor | 2007 | Source Code Publishing Infrastructure |
1 |
| SquirrelMail backdoor | 2007 | Source Code | 1 |
| gentoo rsync compromise | 2003 | Source Code Repository | 1 |
| Debian infra compromise | 2003 | Publishing infrastructure | 1 |
| Unix Support Group login backdoor | <1984 | Dev Tooling | 1 |