Analysis of 2024/2025 open source supply chain compromises reveals three predominant attack vectors: phishing (5 incidents), control handoff to malicious actors (4 incidents), and unsafe GitHub Actions triggers like pull_request_target (4 incidents). The research identifies concrete mitigations including mandatory phishing-resistant authentication, avoiding privileged attacker-controlled CI triggers, and eliminating long-lived credentials through Trusted Publishing and OIDC tokens. Additional vulnerabilities include GitHub Actions cache poisoning, Dependabot impersonation, and mutable action tags that enable instant compromise of dependent workflows.
Table of contents
2024/2025 Open Source Supply Chain CompromisesSummary of vectors and mitigationsSummaryThe PictureSort: