ReversingLabs vs VirusTotal - See why RL is the #1 alternative to VT with 7x the file threat intelligence
Learn More
Podcast | The state of open source software security: Attack methods, policy, more
Listen Now
Secure by Design: Why Trust Matters for Software Risk Management with Chris Hughes and Sasa Zdjelar
Register Now

Sample Reports for Software Supply Chain Security

EXPLORE OUR INTERACTIVE REPORTS, WHICH HELP YOU HALT ATTACKS AND IMPROVE SECURITY QUALITY

IconBurst - Escalation of Attacker Tactics

IconBurst is the first typosquatting attack to trigger the payload only after its host software release package is deployed by unsuspecting users.

Learn More

Log4j - Critical remote code execution vulnerability

When new critical vulnerabilities are reported, SBOM depth, accuracy & search via portal & CLI can minimize the effort to understand your exposure.

Learn More

3CX - Malicious code added during build process

Attackers compromised the build by injecting encrypted shellcode through trusted and signed binary artifacts, all without breaking the existing signature.
Learn More

IconBurst - Escalation of Attacker Tactics

IconBurst is the first typosquatting attack to trigger the payload only after its host software release package is deployed by unsuspecting users.

secure.software analysis report Read our blog: IconBurst NPM software supply chain attack grabs data from apps and websites

CodeCov’s Supply Chain Compromise

Attackers who compromise software delivery platforms can modify releases to attack production or customer environments. This happened to CodeCov.

secure.software analysis report Read our blog on the CodeCov compromise

How Automated Updating Can Serve Up Malware

When maintainer accounts of popular open source packages are compromised, altered versions can serve malware to automated CI/CD systems during the exposure window. 

secure.software analysis report

Malware Targeting Developer’s Credentials

Typosquatting attacks prey on developers mistyping open source package names. The malicious payload usually steals credentials to pivot through developer toolchains.

secure.software analysis report - #1 Read our blog: Groundhog day: NPM package caught stealing browser passwords

Malicious Data Mining for Money

This malicious package auto-executes & achieves persistence when installed. It finds & replaces digital wallet urls which transfers funds to the attacker.

secure.software analysis report Read our blog: Mining for malicious RubyGems

Malicious Open Source Planting

This maliciuos package is installed as a library that runs when interactive non-login shells are created, making it difficult for code reviews to detect.

secure.software analysis report Read our blog: Beware of imposter libraries on PyPI

Sensitive information data leaks

Secrets used during development that are accidentally built into releases or containers are easy for attackers to find & use to compromise software pipelines.

secure.software analysis report Read our blog: PyPI packages containing sensitive information

Tampering with digitally signed content

This example shows a tampered signature issue discovered in a Microsoft package. Automated version differencing validated remediation & passed the next build for release.

secure.software analysis report Read our blog: Trouble with software integrity validation

Log4j - Critical remote code execution vulnerability

When new critical vulnerabilities are reported, SBOM depth, accuracy & search via portal & CLI can minimize the effort to understand your exposure.

secure.software analysis report Read our blog: Log4j is why you need an SBOM

Vulnerabilities in statically linked code

Statically linked libraries can be invisible without binary analysis. This example package has critical vulnerabilities in statically linked open source libraries.

secure.software analysis report Read our blog: Third-party code comes with some baggage

3CX - Malicious code added during build process

Attackers compromised the build by injecting encrypted shellcode through trusted and signed binary artifacts, all without breaking the existing signature.
Read our blog: Red flags fly over 3CX Webinar: Deconstructing 3CX Software Package