The developer device is the new supply chain attack blind spot
The software supply chain has had a brutal run.
In the past few months, we’ve seen attacks against Axios, Trivy, LiteLLM, SAP, Vercel, and a new Mini Shai-Hulud campaign that has impacted a long list of packages that includes TanStack, UiPath, and Mistral AI.
Then GitHub confirmed that attackers had accessed nearly 3,800 internal repositories after a poisoned VS Code extension landed on a single employee’s laptop.
The extension was Nx Console, a legitimate tool with 2.2 million installs and a verified publisher badge, compromised using a stolen token from a separate supply chain attack.
The malicious version was live on the marketplace for just eighteen minutes, but auto-update had already pushed it to running editors during that window.
These attacks came through different doors.
A browser extension, a worm in the package registry, a poisoned IDE plugin. But they all landed on the same thing: a developer’s machine....
Copyright of this story solely belongs to techradar.com. To see the full text click HERE