Add 2025 software supply chain attacks#139
Merged
mrbobbytables merged 12 commits intocncf:mainfrom Jan 14, 2026
Merged
Conversation
✅ Deploy Preview for contribute-cncf-io ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request adds documentation for three significant software supply chain attacks that occurred in 2025 to the CNCF TAG Security catalog. The additions align with the catalog's mission to capture diverse attack patterns for developing best practices and tools.
Key Changes
- Added three 2025 supply chain compromise entries to the catalog index
- Created detailed documentation for the Shai-Hulud self-replicating worm attack on npm
- Created documentation for an npm phishing campaign targeting maintainer Qix
- Created documentation for the nullifAI malicious ML model incident on Hugging Face
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| docs/community/tags/security-and-compliance/publications/catalog/index.md | Added three new 2025 entries to the supply chain compromises table with appropriate links and compromise types |
| docs/community/tags/security-and-compliance/publications/catalog/2025/shai-hulud.md | Documented the Shai-Hulud worm attack including impact, compromise type, and references |
| docs/community/tags/security-and-compliance/publications/catalog/2025/qix.md | Documented the npm phishing campaign targeting Qix with impact analysis and related incidents |
| docs/community/tags/security-and-compliance/publications/catalog/2025/nullifAI.md | Documented malicious ML models on Hugging Face with security implications |
docs/community/tags/security-and-compliance/publications/catalog/2025/nullifAI.md
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/nullifAI.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/nullifAI.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/nullifAI.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/qix.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/shai-hulud.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/qix.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/nullifAI.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/shai-hulud.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/shai-hulud.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/shai-hulud.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/qix.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/index.md
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/index.md
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/nullifAI.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/shai-hulud.md
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/nullifAI.md
Outdated
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/nullifAI.md
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/nullifAI.md
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/qix.md
Show resolved
Hide resolved
docs/community/tags/security-and-compliance/publications/catalog/2025/qix.md
Show resolved
Hide resolved
Member
|
Can you try to pass the DCO bot thing? Thanks! |
Contributor
Author
|
Done! |
Member
|
Thanks for this @sivanahamer! Since this is coming in from the tag-security, should the same folks who would have approved cncf/tag-security#1503 approve this before merge? @mrbobbytables, is it the intention that each tag has sway over their section of this site? |
brandtkeller
approved these changes
Jan 7, 2026
Member
brandtkeller
left a comment
brandtkeller
left a comment
There was a problem hiding this comment.
Thanks for moving this over to this repository and navigating the updates - appreciate the patience.
Member
|
@nate-double-u pausing to take final action on merge for any additional considerations from @mrbobbytables or yourself. |
Member
yes, need to add the codeowners to the root to allow them to merge themselves 👍 I'll add it on the TODO |
Signed-off-by: sivanahamer <sivanahamer@gmail.com>
…og/2025/nullifAI.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sivana Hamer <sivanahamer@gmail.com> Signed-off-by: sivanahamer <sivanahamer@gmail.com>
…og/2025/nullifAI.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sivana Hamer <sivanahamer@gmail.com> Signed-off-by: sivanahamer <sivanahamer@gmail.com>
…og/2025/nullifAI.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sivana Hamer <sivanahamer@gmail.com> Signed-off-by: sivanahamer <sivanahamer@gmail.com>
…og/2025/qix.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sivana Hamer <sivanahamer@gmail.com> Signed-off-by: sivanahamer <sivanahamer@gmail.com>
…og/2025/shai-hulud.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sivana Hamer <sivanahamer@gmail.com> Signed-off-by: sivanahamer <sivanahamer@gmail.com>
…og/2025/qix.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sivana Hamer <sivanahamer@gmail.com> Signed-off-by: sivanahamer <sivanahamer@gmail.com>
…og/2025/nullifAI.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sivana Hamer <sivanahamer@gmail.com> Signed-off-by: sivanahamer <sivanahamer@gmail.com>
…og/2025/qix.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sivana Hamer <sivanahamer@gmail.com> Signed-off-by: sivanahamer <sivanahamer@gmail.com>
…og/2025/shai-hulud.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sivana Hamer <sivanahamer@gmail.com> Signed-off-by: sivanahamer <sivanahamer@gmail.com>
…og/2025/shai-hulud.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sivana Hamer <sivanahamer@gmail.com> Signed-off-by: sivanahamer <sivanahamer@gmail.com>
…og/2025/shai-hulud.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sivana Hamer <sivanahamer@gmail.com> Signed-off-by: sivanahamer <sivanahamer@gmail.com>
mrbobbytables
approved these changes
Jan 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adding attacks 2025 to the new repository mentioned in: cncf/tag-security#1503