Skip to content

A Survey of 2024–2025 Open‑Source Supply‑Chain Compromises a...#237

Merged
carlospolop merged 1 commit intomasterfrom
update_A_Survey_of_2024_2025_Open_Source_Supply_Chain_Com_20251229_014719
Jan 13, 2026
Merged

A Survey of 2024–2025 Open‑Source Supply‑Chain Compromises a...#237
carlospolop merged 1 commit intomasterfrom
update_A_Survey_of_2024_2025_Open_Source_Supply_Chain_Com_20251229_014719

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Dec 29, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://words.filippo.io/compromise-survey/
  • Blog Title: A Survey of 2024–2025 Open‑Source Supply‑Chain Compromises and Their Root Causes
  • Suggested Section: 🏭 Pentesting CI/CD -> Github Security (expand existing GitHub Actions content with: 1) "GitHub Actions Trigger Abuse (pull_request_target & issue_comment pwn requests)"; 2) "GitHub Actions Cache Poisoning & Cross‑Workflow Escalation"; 3) "Mutable Action Tags & Supply‑Chain Takeovers"; 4) "CI Token Exfiltration & Long‑Lived Credential Abuse")

🎯 Content Summary

This post surveys documented 2024–2025 open‑source software supply‑chain compromises and categorizes their initial access vectors, then derives concrete, technical mitigations that maintainers can apply to reduce compromise risk. It focuses on depended‑upon projects (libraries, tools, Actions) and ignores purely malicious packages, package‑manager bugs, and one‑off app compromises.


Case studies and root causes

@carlospolop
Copy link
Collaborator Author

carlospolop commented Dec 29, 2025

🔗 Additional Context

Original Blog Post: https://words.filippo.io/compromise-survey/

Content Categories: Based on the analysis, this content was categorized under "🏭 Pentesting CI/CD -> Github Security (expand existing GitHub Actions content with: 1) "GitHub Actions Trigger Abuse (pull_request_target & issue_comment pwn requests)"; 2) "GitHub Actions Cache Poisoning & Cross‑Workflow Escalation"; 3) "Mutable Action Tags & Supply‑Chain Takeovers"; 4) "CI Token Exfiltration & Long‑Lived Credential Abuse")".

Repository Maintenance:

  • MD Files Formatting: 574 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@carlospolop carlospolop merged commit 5d8a658 into master Jan 13, 2026
@carlospolop carlospolop deleted the update_A_Survey_of_2024_2025_Open_Source_Supply_Chain_Com_20251229_014719 branch January 13, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlospolop