Catalog of Supply Chain Compromises

This repository contains links to articles of software supply chain compromises. The goal is not to catalog every known supply chain attack, but rather to capture many examples of different kinds of attack, so that we can better understand the patterns and develop best practices and tools.

For definitions of each compromise type, please check out our compromise definitions page

We welcome additions to this catalog by filing an issue or github pull request

Contents of this repo and proposed additions are not a statement or opinion on the security stance and/or practices of a given project, of open source, or the community. These articles and stories annotate the communities dedication to rapid response, evolving security practices, transparent disclosure, and enforcement of one of open sources founding principles, “ Linus’s Law ”.

When submitting an addition, please review the definitions page to ensure the Type of Compromise on the details of the incidents as well as the Catalog itself are consistent. If a definition doesn’t exist or a new type of compromise needs added, please include that as well.

NameYearType of compromiseLink
Solana Web3.js Code Injection2024Social Engineering/Phishing Attack1 2
Polyfill.io Infrastructure Takeover Leading to Malware Distribution2024Publishing Infrastructure1
Malware Disguised as Installer used to target Korean Public Institution2024Trust and Signing1
3proxy signing incident2024Trust and Signing1
xz backdoor incident2024Malicious Maintainer1
GitGot: using GitHub repositories as exfiltration store2024Trust and Signing1
ManageEngine xmlsec dependency2023Outdated Dependencies1
Retool Spear Phishing2023Dev Tooling1
Fake Dependabot commits2023Source Code1
Okta Source Code Theft2022Source Code
Dev Tooling		1
Auth0 Source Code Theft2022Source Code
Dev Tooling		1 2
RubyGems Package Overwrite Flaw2022Publishing Infrastructure1
Legitimate software update mechanism abused to deliver wiper malware2022Publishing Infrastructure1
Docker Hub malicious containers2022Publishing Infrastructure1
Chat100 live chat trojan2022Publishing Infrastructure1
Dropbox GitHub compromise2022Attack Chaining1
Intel Alder Lake BIOS leak2022Source Code1
PEAR PHP Package Manager compromise2022Dev Tooling1
npm Library ‘node-ipc’ Sabotaged with npm Library ‘peacenotwar’ in Protest by their Maintainer2022Malicious Maintainer1
npm Libraries ‘colors’ and ‘faker’ Sabotaged in Protest by their Maintainer2022Malicious Maintainer1
GCP Golang Buildpacks Old Compiler Injection2022Source Code1
WordPress theme publisher compromised2022Source Code
Publishing Infrastructure		1 , 2
Remote code injection in Log4j2021Source code1
Compromise of npm packages coa and rc2021Malicious Maintainer1
Compromise of ua-parser-js2021Malicious Maintainer1
The klow / klown / okhsa incident2021Negligence1
PHP self-hosted git server2021Source Code
Dev Tooling		1
Homebrew2021Dev Tooling1 , 2
Codecov2021Source Code1
Repojacking exposed private repositories through supply-chain compromise2021Negligence1
VSCode GitHub2021Dev Tooling1
Free Download Manager2020Publishing Infrastructure1
SUNBURST/SUNSPOT/Solarigate2020Publishing Infrastructure1 , 2 , 3
The Great Suspender2020Malicious Maintainer1 , 2
Abusing misconfigured SonarQube applications2020Dev Tooling1 , 2
Octopus Scanner2020Dev Tooling1 , 2
NPM reverse shells and data mining2020Dev Tooling1
Binaries of the CLI for monero compromised2019Publishing Infrastructure1 , 2 , 3
Webmin backdoor2019Dev Tooling1 , 2
purescript-npm2019Source Code1 and 2
electron-native-notify2019Source Code1 , 2
PyPI typosquatting2019Negligence1
ROS build farm compromise2019Trust and Signing
Publishing Infrastructure
1 , 2
ShadowHammer2019Attack Chaining1 , 2
PEAR Breach2019Publishing Infrastructure1 , 2
Canonical’s GitHub org compromised2019Dev Tooling
Source Code
Publishing infrastructure
1
The event-stream vulnerability2018Malicious Maintainer1 , 2
Dofoil2018Publishing Infrastructure1
Operation Red2018Publishing Infrastructure1
RCE in go get -u2018Dev Tooling1 , 2
acroread compromised in AUR2018Malicious Maintainer1 , 2
Gentoo Incident2018Source Code1
Unnamed Maker2018Publishing Infrastructure1
Colourama2018Negligence1 , 2
Foxif/CCleaner2017Publishing Infrastructure1
HandBrake2017Publishing Infrastructure1
Kingslayer2017Publishing Infrastructure1
HackTask2017Negligence1
NotPetya2017Attack Chaining1
Bitcoin Gold2017Source Code1
ExpensiveWall2017Dev Tooling1 , 2
OSX Elmedia player2017Publishing infrastructure1
GitHub password recovery issues2016Dev Tool
Source Code
1 , 2
keydnap2016Publishing infrastructure1 , 2
Fosshub Breach2016Publishing infrastructure1 , 2
Linux Mint2016Publishing infrastructure1
Juniper Incident2015Source Code1
XCodeGhost2015Fake toolchain1
Ceph and Inktank2015Source Code
Publishing infrastructure
1
Code Spaces2014Source Code1
Monju Incident2014Publishing infrastructure1
APT lack of validation for source packages2013Negligence1
GitHub Ruby on Rails Repository Hack2012Source Code
Dev Tooling		1 , 2
kernel.org Infrastructure Compromise2011Publishing infrastructure1 , 2
FSF Website Hack2010Source Code1
apache.org Internal Tools Compromise2010Attack Chaining1
Operation Aurora2010Watering-hole attack1
ProFTPD Hack and Backdoor2010Publishing Infrastructure1
WordPress backdoor2007Source Code
Publishing Infrastructure
1
SquirrelMail backdoor2007Source Code
Publishing Infrastructure		1
Linux Kernel CVS Repository Hack2003Source Code
Dev Tooling		1
gentoo rsync compromise2003Publishing Infrastructure1
Debian infra compromise2003Publishing infrastructure1
Unix Support Group login backdoor1975Dev Tooling1