A backdoor was inserted into upstream XZ Utils release tarballs, affecting some downstream Linux distribution packaging before broad removal.
Corpus Graph
Supply Chain
A graph-first view of curated supply chain incidents and the packages, repositories, organizations, maintainers, actors, campaigns, releases, and accounts connected by evidence.
Corpus graph preview Actors to releases
Shai-Hulud npm self-propagating package compromise Package Publish
27
Incidents
19
Packages
7
Releases
11
Repositories
19
Organizations
5
Maintainers
6
Build Systems
14
Distribution Channels
10
Compromised Accounts
136
Relationships
How They Got In
Attack Vectors
Who Is Connected
Attribution
Observed To Disclosure
Dwell Timeline
Go BoltDB typosquat module proxy backdoor 1191d SolarWinds Orion software build compromise 287d ASUS Live Update Operation ShadowHammer 83d event-stream malicious dependency insertion 78d Codecov Bash Uploader credential exfiltration 74d XZ Utils backdoor attempt 34d CCleaner signed installer compromise 34d node-ipc peacenotwar protestware release 8d Octopus Scanner malicious NetBeans project campaign 8d Ultralytics PyPI package compromise 7d 3CX desktop application software supply-chain compromise 7d PyTorch nightly dependency confusion compromise 6d
Featured Cases
Incident Cards
Attackers compromised 3CX desktop application builds, causing trojanized installers and updates to reach downstream customers.
Attackers compromised the SolarWinds Orion build process and inserted the SUNBURST backdoor into signed software updates delivered to customers.
A maintainer transfer enabled a malicious dependency to be added to the event-stream npm package dependency tree, targeting downstream cryptocurrency wallet software.
Malicious versions of ua-parser-js were published to npm after maintainer account compromise, delivering credential-stealing and cryptomining payloads.
What Threatpedia Tracks
This section models confirmed supply chain incidents and the entities named by the corpus. The goal is structured recall: which packages, repositories, maintainers, and organizations appear together in public evidence.
Why Supply Chain Incidents Matter
A supply chain compromise can turn trusted update channels, build systems, or package registries into distribution paths. Tracking those links helps defenders compare incidents without inventing risk scores.
How Entities Connect
Entities are connected through explicit relationship records derived from the curated incident corpus. A package, repository, organization, or maintainer page shows the incidents that support that connection.
Evidence and Confidence Model
Each incident carries confidence and evidence-level fields from the corpus. Pages show those fields directly and avoid conclusions beyond the recorded evidence.
Corpus Shape
Entity Summary
Packages
Named software packages affected by or involved in supply chain incidents.
Repositories
Source repositories, release repositories, and project repositories cited by incident evidence.
Organizations
Vendors, projects, companies, registries, and public organizations connected to incidents.
Maintainers
Individual maintainers or maintainer identities named by the structured corpus.
Build Systems
Build, CI, release, or signing systems recorded as part of the incident chain.
Distribution Channels
Registries, update systems, downloads, and other channels used to distribute affected artifacts.
Compromised Accounts
Accounts or identities recorded as compromised in the incident corpus.
Corpus Index
All Incidents
3CX desktop application software supply-chain compromise Attackers compromised 3CX desktop application builds, causing trojanized installers and updates to reach downstream customers. Build Compromise ASUS Live Update Operation ShadowHammer Attackers compromised the ASUS Live Update utility and distributed signed malicious updates to selected downstream systems. Distribution Compromise CCleaner signed installer compromise A legitimate CCleaner release was modified and signed, distributing malware to downstream users through the normal software update and download path. Distribution Compromise Codecov Bash Uploader credential exfiltration The Codecov Bash Uploader was modified by an attacker, enabling environment variable and credential exfiltration from affected CI environments. Ci Cd Compromise colors and faker npm protestware releases The maintainer of colors and faker published intentionally disruptive releases that broke downstream consumers and demonstrated maintainer-driven supply-chain risk. Package Publish ctx PyPI project account takeover The ctx project on PyPI was taken over and replaced with malicious code that collected environment variables from affected users. Account Compromise Dependency confusion proof-of-concept campaign Researchers demonstrated that public package registries could be abused to satisfy internal dependency names and execute code in downstream build environments. Dependency Resolution eslint-scope npm package credential-stealing release An attacker used compromised npm maintainer credentials to publish malicious eslint-scope and eslint-config-eslint releases that attempted to steal npm tokens. Account Compromise event-stream malicious dependency insertion A maintainer transfer enabled a malicious dependency to be added to the event-stream npm package dependency tree, targeting downstream cryptocurrency wallet software. Package Publish Go BoltDB typosquat module proxy backdoor Socket researchers disclosed a backdoored Go module typosquatting BoltDB that persisted through Go Module Proxy caching even after the source repository tag was changed. Dependency Resolution Kaseya VSA ransomware supply-chain attack Attackers abused Kaseya VSA management software to distribute ransomware through managed service provider environments to downstream customers. Distribution Compromise Ledger Connect Kit npm package compromise A compromised Ledger Connect Kit npm release injected malicious code into downstream web applications and targeted cryptocurrency wallet transactions. Account Compromise Linux Mint ISO distribution site compromise Attackers modified Linux Mint download infrastructure so some users received a backdoored ISO image instead of the legitimate distribution image. Distribution Compromise LottieFiles lottie-player npm package compromise Compromised releases of the @lottiefiles/lottie-player npm package injected malicious wallet-draining code into downstream web applications. Account Compromise node-ipc peacenotwar protestware release The node-ipc npm package included protestware behavior that modified files for users in certain geographies, creating downstream integrity and availability risk. Package Publish NotPetya distributed through M.E.Doc update channel The NotPetya destructive malware outbreak was seeded through a compromised Ukrainian accounting software update mechanism used by M.E.Doc customers. Distribution Compromise Octopus Scanner malicious NetBeans project campaign Malicious code planted in open source NetBeans projects propagated through developer builds and attempted to infect additional projects. Source Compromise PHP source repository backdoor attempt Attackers pushed malicious commits to the PHP source repository that would have introduced a backdoor if accepted into releases. Source Compromise Polyfill.io CDN script supply-chain compromise The Polyfill.io service began serving malicious JavaScript to downstream websites that embedded the third-party CDN script. Distribution Compromise PyTorch nightly dependency confusion compromise A malicious torchtriton package on PyPI was installed by some PyTorch nightly users because it shadowed an expected dependency name. Dependency Resolution rc npm package malicious release The rc npm package had malicious versions published that required users to downgrade and inspect systems for suspicious activity. Package Publish Shai-Hulud npm self-propagating package compromise The Shai-Hulud campaign compromised npm packages with credential-harvesting malware that used stolen npm tokens to publish malicious versions of additional packages. Package Publish SolarWinds Orion software build compromise Attackers compromised the SolarWinds Orion build process and inserted the SUNBURST backdoor into signed software updates delivered to customers. Build Compromise tj-actions changed-files GitHub Action compromise The tj-actions/changed-files GitHub Action was compromised, exposing secrets from affected workflow runs through malicious action behavior. Ci Cd Compromise ua-parser-js npm package account compromise Malicious versions of ua-parser-js were published to npm after maintainer account compromise, delivering credential-stealing and cryptomining payloads. Account Compromise Ultralytics PyPI package compromise The ultralytics Python project suffered a supply-chain attack through compromised GitHub Actions workflows and PyPI publishing, resulting in malicious package releases. Ci Cd Compromise XZ Utils backdoor attempt A backdoor was inserted into upstream XZ Utils release tarballs, affecting some downstream Linux distribution packaging before broad removal. Source Compromise