Note: This repository has now been archived, and the incidents here (and more) are now recorded in the CNCF tag-security repository: https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises. Feel free to open pull requests and/or issues there.
This repository contains links to articles of software supply chain compromises. In the future it also may contain ways to query and export these as references, but that's ongoing work.
| Name | Year | Type of compromise | Link |
|---|---|---|---|
| RubyGem strong_password | 2019 | Publishing Infrastructure | 1, 2 |
| RubyGem bootstrap-sass | 2019 | Publishing Infrastructure | 1, 2, 3 |
| ShadowHammer | 2019 | Multiple steps | 1, 2 |
| PEAR Breach | 2019 | Publishing Infrastructure | 1, 2 |
| Dofoil | 2018 | Publishing Infrastructure | 1 |
| Operation Red | 2018 | Publishing Infrastructure | 1 |
| Gentoo Incident | 2018 | Source Code Compromise | 1 |
| Unnamed Maker | 2018 | Publishing Infrastructure | 1 |
| Colourama | 2018 | TypoSquat | 1, 2 |
| Foxif/CCleaner | 2017 | Publishing Infrastructure | 1 |
| HandBrake | 2017 | Publishing Infrastructure | 1 |
| Kingslayer | 2017 | Publishing Infrastructure | 1 |
| HackTask | 2017 | TypoSquat | 1 |
| NotPetya | 2017 | Multiple steps | 1 |
| Bitcoin Gold | 2017 | Source Code Compromise | 1 |
| ExpensiveWall | 2017 | Backdooring SDK | 1,2 |
| OSX Elmedia player | 2017 | Publishing infrastructure | 1 |
| keydnap | 2016 | Publishing infrastructure | 1,2 |
| Fosshub Breach | 2016 | Publishing infrastructure | 1,2 |
| Linux Mint | 2016 | Publishing infrastructure | 1 |
| Juniper Incident | 2015 | Source Code Compromise | 1 |
| XCodeGhost | 2015 | Fake toolchain | 1 |
| Ceph and Inktank | 2015 | Build, source and publishing infrastructure | 1 |
| Code Spaces | 2014 | Source Code Compromise | 1 |
| Monju Incident | 2014 | Publishing infrastructure | 1 |
| Operation Aurora | 2010 | Watering-hole attack | 1 |
| ProFTPD | 2010 | Source Code Repository | 1 |