_PyPI, npm, and Docker
на канале: DIESEC
The supply chain attack that didn’t care about your code
Supply‑chain attacks used to target build artefacts.
Today, they target developers themselves.
In just 48 hours, multiple campaigns poisoned npm, PyPI, and Docker tooling, not to sabotage software outputs, but to harvest credentials, tokens, and secrets sitting on developer machines and CI runners.
Some of these attacks even self‑propagated.
Credentials from one environment were used to infect the next.
That’s the shift.
The goal isn’t breaking production builds.
It’s inheriting the trust developers already have across cloud, CI/CD, and deployment pipelines.
Once attackers get that access, they don’t need persistence. They can come back whenever they like.
Where this bites hardest:
Developer environments mix personal habits with production access.
Package managers optimise for speed, not quarantine or verification.
CI systems often run with broader permissions than anyone remembers approving.
Next 48 hours:
✅Audit which CI workflows and developer machines hold long‑lived cloud or SCM credentials.
✅Introduce isolation for testing third‑party packages and freelance “test projects.”
✅Treat dependency updates as a trust decision, not a convenience step.
The most efficient way into your environment right now
isn’t your firewall, it’s your developer laptop.
Links for a deeper technical dive are in the comments.