Supply chain attacks do not break down the front door — they get invited in through the build systems, package registries, and maintainer trust that modern software runs on. A forensic walk through the XZ Utils backdoor, SUNBURST, and the npm registry attacks, the pattern they share, and the defenses that actually survive contact with real codebases.
Slsa
-
How Supply Chain Attacks Actually Work: The Anatomy of XZ, SolarWinds, and the npm Sagas -
Deterministic and Reproducible Builds: Why Your Build Should Be a Pure Function Why builds should be reproducible, how to achieve hermetic builds with Bazel and Nix, SLSA build provenance, SOURCE_DATE_EPOCH, and how to verify binary equivalence with diffoscope.
-
Supply Chain Security: SBOMs, Sigstore, Cosign, and SLSA A practical guide to software supply chain security — generating SBOMs with Syft, signing artifacts with Cosign and Sigstore, verifying provenance with SLSA, and integrating these controls into your CI/CD pipeline.