The developer device is the new supply chain attack blind spot

https://cdn.mos.cms.futurecdn.net/7DtE9RCVmUtmH2FAfvxsvM-2560-80.jpg

The software supply chain has had a brutal run.

In the past few months, we’ve seen attacks against Axios, Trivy, LiteLLM, SAP, Vercel, and a new Mini Shai-Hulud campaign that has impacted a long list of packages that includes TanStack, UiPath, and Mistral AI.

Then GitHub confirmed that attackers had accessed nearly 3,800 internal repositories after a poisoned VS Code extension landed on a single employee’s laptop.

The extension was Nx Console, a legitimate tool with 2.2 million installs and a verified publisher badge, compromised using a stolen token from a separate supply chain attack.

The malicious version was live on the marketplace for just eighteen minutes, but auto-update had already pushed it to running editors during that window.

These attacks came through different doors.

A browser extension, a worm in the package registry, a poisoned IDE plugin. But they all landed on the same thing: a developer’s machine....

Copyright of this story solely belongs to techradar.com. To see the full text click HERE