Back to updates

Supply-Chain - 1

2026 (3)

March (1)

k8s: The Invisible Rewrite: Modernizing the Kubernetes Image Promoter

Kubernetes Official Blog

2026-03-17

Kubernetes rewrote the core of its image promoter (kpromo/promo-tools), removing legacy code and splitting promotion into distinct phases. The new pipeline improved performance and reliability, shipped in v4.2.0–v4.4.0, and kept user-facing flags and manifests unchanged.

February (1)

security: Developer-targeting campaign using malicious Next.js repositories

Microsoft Security Blog

2026-02-24

Microsoft reports a developer-targeting campaign that used malicious Next.js repositories to achieve remote code execution and establish command-and-control via normal build workflows, aiming to blend into routine development activity.

January (1)

security: Case study: Securing AI application supply chains

Microsoft Security Blog

2026-01-30

The article argues that securing AI-powered applications requires a holistic supply-chain approach beyond protecting prompts, including monitoring frameworks, SDKs, and orchestration layers, plus enforcing strong runtime controls so security teams can detect, respond to, and remediate risks before exploitation.

2025 (2)

December (1)

security: Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack

Microsoft Security Blog

2025-12-09

Shai‑Hulud 2.0 is a large-scale supply chain attack in which adversaries maliciously modified hundreds of public packages to compromise developer environments, CI/CD pipelines, and cloud workloads in order to harvest credentials and configuration secrets. Microsoft published guidance to detect, investigate, and defend against these compromises across development toolchains, build systems, and cloud assets.

September (1)

security: XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory

Microsoft Security Blog

2025-09-25

Microsoft Threat Intelligence has identified a new variant of the XCSSET malware that targets Xcode projects used by developers building Apple and macOS applications, detailed in a Microsoft Security Blog post.