This repository contains links to articles of software supply chain compromises. The goal is not to catalog every known supply chain attack, but rather to capture many examples of different kinds of attack, so that we can better understand the patterns and develop best practices and tools.
For definitions of each compromise type, please check out our compromise definitions page
We welcome additions to this catalog by filing an issue or github pull request
Contents of this repo and proposed additions are not a statement or opinion on the security stance and/or practices of a given project, of open source, or the community. These articles and stories annotate the communities dedication to rapid response, evolving security practices, transparent disclosure, and enforcement of one of open sources founding principles, "Linus's Law".
When submitting an addition, please review the definitions page to ensure the Type of Compromise on the details of the incidents as well as the Catalog itself are consistent. If a definition doesn't exist or a new type of compromise needs added, please include that as well.
| Name | Year | Type of compromise | Link |
|---|---|---|---|
| Malware Disguised as Installer used to target Korean Public Institution | 2024 | Trust and Signing | 1 |
| 3proxy signing incident | 2024 | Trust and Signing | 1 |
| xz backdoor incident | 2024 | Malicious Maintainer | 1 |
| GitGot: using GitHub repositories as exfiltration store | 2024 | Trust and Signing | 1 |
| ManageEngine xmlsec dependency | 2023 | Outdated Dependencies | 1 |
| Retool Spear Phishing | 2023 | Dev Tooling | 1 |
| Fake Dependabot commits | 2023 | Source Code | 1 |
| Okta Source Code Theft | 2022 | Source Code Dev Tooling |
1 |
| Auth0 Source Code Theft | 2022 | Source Code Dev Tooling |
1 2 |
| RubyGems Package Overwrite Flaw | 2022 | Publishing Infrastructure | 1 |
| Legitimate software update mechanism abused to deliver wiper malware | 2022 | Publishing Infrastructure | 1 |
| Docker Hub malicious containers | 2022 | Publishing Infrastructure | 1 |
| Chat100 live chat trojan | 2022 | Publishing Infrastructure | 1 |
| Dropbox GitHub compromise | 2022 | Attack Chaining | 1 |
| Intel Alder Lake BIOS leak | 2022 | Source Code | 1 |
| PEAR PHP Package Manager compromise | 2022 | Dev Tooling | 1 |
| npm Library ‘node-ipc’ Sabotaged with npm Library ‘peacenotwar’ in Protest by their Maintainer | 2022 | Malicious Maintainer | 1 |
| npm Libraries ‘colors’ and ‘faker’ Sabotaged in Protest by their Maintainer | 2022 | Malicious Maintainer | 1 |
| GCP Golang Buildpacks Old Compiler Injection | 2022 | Source Code | 1 |
| WordPress theme publisher compromised | 2022 | Source Code Publishing Infrastructure |
1, 2 |
| Remote code injection in Log4j | 2021 | Source code | 1 |
| Compromise of npm packages coa and rc | 2021 | Malicious Maintainer | 1 |
| Compromise of ua-parser-js | 2021 | Malicious Maintainer | 1 |
| The klow / klown / okhsa incident | 2021 | Negligence | 1 |
| PHP self-hosted git server | 2021 | Source Code Dev Tooling |
1 |
| Homebrew | 2021 | Dev Tooling | 1, 2 |
| Codecov | 2021 | Source Code | 1 |
| Repojacking exposed private repositories through supply-chain compromise | 2021 | Negligence | 1 |
| VSCode GitHub | 2021 | Dev Tooling | 1 |
| Free Download Manager | 2020 | Publishing Infrastructure | 1 |
| SUNBURST/SUNSPOT/Solarigate | 2020 | Publishing Infrastructure | 1, 2, 3 |
| The Great Suspender | 2020 | Malicious Maintainer | 1,2 |
| Abusing misconfigured SonarQube applications | 2020 | Dev Tooling | 1, 2 |
| Octopus Scanner | 2020 | Dev Tooling | 1,2 |
| NPM reverse shells and data mining | 2020 | Dev Tooling | 1 |
Binaries of the CLI for monero compromised |
2019 | Publishing Infrastructure | 1, 2, 3 |
| Webmin backdoor | 2019 | Dev Tooling | 1, 2 |
| purescript-npm | 2019 | Source Code | 1 and 2 |
| electron-native-notify | 2019 | Source Code | 1, 2 |
| PyPI typosquatting | 2019 | Negligence | 1 |
| ROS build farm compromise | 2019 | Trust and Signing Publishing Infrastructure |
1, 2 |
| ShadowHammer | 2019 | Attack Chaining | 1, 2 |
| PEAR Breach | 2019 | Publishing Infrastructure | 1, 2 |
| Canonical's GitHub org compromised | 2019 | Dev Tooling Source Code Publishing infrastructure |
1 |
| The event-stream vulnerability | 2018 | Malicious Maintainer | 1,2 |
| Dofoil | 2018 | Publishing Infrastructure | 1 |
| Operation Red | 2018 | Publishing Infrastructure | 1 |
| RCE in go get -u | 2018 | Dev Tooling | 1, 2 |
| acroread compromised in AUR | 2018 | Malicious Maintainer | 1, 2 |
| Gentoo Incident | 2018 | Source Code | 1 |
| Unnamed Maker | 2018 | Publishing Infrastructure | 1 |
| Colourama | 2018 | Negligence | 1, 2 |
| Foxif/CCleaner | 2017 | Publishing Infrastructure | 1 |
| HandBrake | 2017 | Publishing Infrastructure | 1 |
| Kingslayer | 2017 | Publishing Infrastructure | 1 |
| HackTask | 2017 | Negligence | 1 |
| NotPetya | 2017 | Attack Chaining | 1 |
| Bitcoin Gold | 2017 | Source Code | 1 |
| ExpensiveWall | 2017 | Dev Tooling | 1, 2 |
| OSX Elmedia player | 2017 | Publishing infrastructure | 1 |
| GitHub password recovery issues | 2016 | Dev Tool Source Code |
1, 2 |
| keydnap | 2016 | Publishing infrastructure | 1, 2 |
| Fosshub Breach | 2016 | Publishing infrastructure | 1, 2 |
| Linux Mint | 2016 | Publishing infrastructure | 1 |
| Juniper Incident | 2015 | Source Code | 1 |
| XCodeGhost | 2015 | Fake toolchain | 1 |
| Ceph and Inktank | 2015 | Source Code Publishing infrastructure |
1 |
| Code Spaces | 2014 | Source Code | 1 |
| Monju Incident | 2014 | Publishing infrastructure | 1 |
| APT lack of validation for source packages | 2013 | Negligence | 1 |
| GitHub Ruby on Rails Repository Hack | 2012 | Source Code Dev Tooling |
1, 2 |
| kernel.org Infrastructure Compromise | 2011 | Publishing infrastructure | 1, 2 |
| FSF Website Hack | 2010 | Source Code | 1 |
| apache.org Internal Tools Compromise | 2010 | Attack Chaining | 1 |
| Operation Aurora | 2010 | Watering-hole attack | 1 |
| ProFTPD Hack and Backdoor | 2010 | Publishing Infrastructure | 1 |
| WordPress backdoor | 2007 | Source Code Publishing Infrastructure |
1 |
| SquirrelMail backdoor | 2007 | Source Code Publishing Infrastructure |
1 |
| Linux Kernel CVS Repository Hack | 2003 | Source Code Dev Tooling |
1 |
| gentoo rsync compromise | 2003 | Publishing Infrastructure | 1 |
| Debian infra compromise | 2003 | Publishing infrastructure | 1 |
| Unix Support Group login backdoor | 1975 | Dev Tooling | 1 |