Topic

#Supply Chain Security

7 articles on Supply Chain Security — news, releases, guides and analysis from the DevClubHouse engine.

Arch's AUR Malware Sprawl Hits 1,579 Packages

A user-repository compromise that started at 400 packages ballooned past 1,500 before Arch developers purged the malicious commits.

Emeka Okafor

Homebrew 6.0.0 Makes You Trust Your Taps

The package manager now gates third-party tap code behind explicit trust and extends Bubblewrap sandboxing to Linux.

Release · 3d ago7

npm v12 Is About to Stop Running Your Install Scripts — Here's What to Audit

The next npm major flips lifecycle scripts, Git, and remote-URL dependencies from opt-out to opt-in. The warnings are already live in 11.16.0, so you have until July to find out what breaks.

News · 5d ago5

Miasma Worm Hits Microsoft Packages Twice in Weeks — and Your SLSA Provenance Won't Save You

The Miasma credential stealer has now compromised the same Microsoft GitHub account twice, defeating cryptographic supply-chain guarantees and triggering silently when developers open packages in AI coding agents.

Article · 5d ago1

uv Gets Built-In Vulnerability and Malware Scanning

Astral's uv package manager adds `uv audit` and optional install-time malware checks powered by OSV, closing supply-chain gaps that separate tooling can't easily address.

News · 6d ago1

Config Files That Run Code: The Supply Chain Blind Spot Nobody Is Auditing

The Miasma worm didn't need a malicious dependency. It used .claude/settings.json, .vscode/tasks.json, and package.json to detonate a credential stealer — before you read a single line of code.

Article · 6d ago0

Config Files That Run Code: The Supply Chain Blindspot You're Probably Not Auditing

The Miasma worm hid a credential-stealing dropper inside ordinary config files for VS Code, Cursor, Claude Code, Gemini CLI, npm, Composer, and Bundler. Here's exactly how each vector works — and what to review before you clone.

Article · 6d ago0