A compilation of resources in the software supply chain security domain, with emphasis on open source

Split and distribute your private keys securely amongst untrusted network

A compilation of Software Supply Chain Security resources including initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of learning resources from the web.

List your dependencies capabilities and monitor if updates require more capabilities.

Scan GitHub Actions Workflow logs for IOCs

Packj audits pull requests for malicious/risky open-source deps

Checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks. See CVE-2021-42574

New Android supply chain attack surface

A phishing-led npm supply chain attack compromised millions of weekly downloads, but IoCs, detection scripts, and remediation steps can help developers defend fast.

Compute SRI from an HTML file and generate a new HTML with the integrity attribute.

Compilation of articles and utils about Software Supply Chain Security

Python script to check if any malicious pip packages listed in a text file have been installed.

PoC ELF linker that injects backdoors into binaries at link time

Complete implementation of Ken Thompson's "Trusting Trust" compiler exploit. Modified TCC with self-replicating backdoors, with my focus on architecture research and exploit development.

Learn how to spot and avoid malicious GitHub forks that mimic real projects. (a.k.a. repo confusion attack)

Checks projects for compromised packages, suspicious files, and import statements.

PoC backdoor embedded within the C runtime zero