A compilation of resources in the software supply chain security domain, with emphasis on open source

Split and distribute your private keys securely amongst untrusted network

A compilation of Software Supply Chain Security resources including initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of learning resources from the web.

List your dependencies capabilities and monitor if updates require more capabilities.

Scan GitHub Actions Workflow logs for IOCs

A phishing-led npm supply chain attack compromised millions of weekly downloads, but IoCs, detection scripts, and remediation steps can help developers defend fast.

Packj audits pull requests for malicious/risky open-source deps

Checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks. See CVE-2021-42574

New Android supply chain attack surface

PoC ELF linker that injects backdoors into binaries at link time

This repository is a security research project demonstrating supply chain attack techniques in the Go ecosystem. It is designed for educational and defensive security purposes only.

PoC backdoor embedded within the C runtime zero

Ubel is a fast, cross‑ecosystem security engine that resolves dependencies, generates PURLs, scans them through OSV.dev, and enforces security policies during installation to prevent supply-chain attacks. It works with: PyPI (via ubel-pip), npm (via ubel-npm),and Linux distributions (Ubuntu-based, Debian-based, RHEL, AlmaLinux).

Compilation of articles and utils about Software Supply Chain Security

Python script to check if any malicious pip packages listed in a text file have been installed.

GitHub Action to detect adversarial Unicode in PRs: invisible characters, bidi attacks, homoglyphs, PUA code points, and encoding issues. Zero-config, language-agnostic.

Educational recreation of the WaterPlum/StoatWaffle VSCode supply chain attack. Full two-machine lab with C2 server, bootstrap downloader, RAT module, browser credential discovery, and file exfiltration. For security research only.

Cybersecurity Technology Capstone — B.S. Cybersecurity Technology degree final course | AWS labs, SDN/IBN whitepaper, threat intelligence, and cybersecurity law & policy | UMGC CMIT 495

Complete implementation of Ken Thompson's "Trusting Trust" compiler exploit. Modified TCC with self-replicating backdoors, with my focus on architecture research and exploit development.

Threat hunting investigation in Splunk - supply chain attack via malicious npm package. TryHackMe Operation: Health Hazard. 335 pts.