Missing list of supply chain attacks

[Foxboron]

• [x] NPM electron-native-notify - https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm
• [ ] NPM event-stream https://medium.com/@hkparker/analysis-of-a-supply-chain-attack-2bd8fa8286ac
• [x] Operation Shadowhammer - https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/
• [ ] Fedora Incident - https://lists.fedoraproject.org/pipermail/announce/2011-January/002911.html
• [ ] Fedora Signing Server Incident - https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
• [ ] Gentoo rsync Incident - https://archives.gentoo.org/gentoo-announce/message/7b0581416ddd91522c14513cb789f17a
• [ ] kernel.org Incident - https://www.linuxfoundation.org/blog/2011/08/the-cracking-of-kernel-org/
• [x] Ruby gems bootstrap-sass - https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/
• [ ] Android supply-chain compromise - https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/

[joshuagl]

• [ ] PyPi "ssh-decorate" - https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/

[Foxboron]

• [x] Ruby gems strong_password https://withatwist.dev/strong-password-rubygem-hijacked.html

• [ ] Canonical Github repo compromised - https://github.com/CanonicalLtd (need more sources i reckon)

• [ ] Pale moon archive server - https://www.bleepingcomputer.com/news/security/hackers-infect-pale-moon-archive-server-with-a-malware-dropper/

[joshuagl]

• [ ] webmin backdoor http://www.webmin.com/exploit.html

[brainwane]

It'd help me with something I'm writing if maintainers of this repo could go ahead and incorporate items from this issue into the document! Heads-up @lukpueh @SantiagoTorres :)

[adityasaky]

Added strong_password compromise - #5 Added bootstrap-sass - #6

[erickatwork]

python3-dateutil / jeIlyfish - https://github.com/dateutil/dateutil/issues/984

[jaxley]

I've started cataloging attacks. If the maintainers are up for maintaining or sharing the burden, would love to contribute. I'll fork and submit a PR.