A compilation of resources in the software supply chain security domain, with emphasis on open source

Split and distribute your private keys securely amongst untrusted network

A compilation of Software Supply Chain Security resources including initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of learning resources from the web.

List your dependencies capabilities and monitor if updates require more capabilities.

Scan GitHub Actions Workflow logs for IOCs

A phishing-led npm supply chain attack compromised millions of weekly downloads, but IoCs, detection scripts, and remediation steps can help developers defend fast.

Packj audits pull requests for malicious/risky open-source deps

Checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks. See CVE-2021-42574

New Android supply chain attack surface

PoC ELF linker that injects backdoors into binaries at link time

PoC backdoor embedded within the C runtime zero

This repository is a security research project demonstrating supply chain attack techniques in the Go ecosystem. It is designed for educational and defensive security purposes only.

Educational recreation of the WaterPlum/StoatWaffle VSCode supply chain attack. Full two-machine lab with C2 server, bootstrap downloader, RAT module, browser credential discovery, and file exfiltration. For security research only.

Compilation of articles and utils about Software Supply Chain Security

GitHub Action to detect adversarial Unicode in PRs: invisible characters, bidi attacks, homoglyphs, PUA code points, and encoding issues. Zero-config, language-agnostic.

Cybersecurity Technology Capstone — B.S. Cybersecurity Technology degree final course | AWS labs, SDN/IBN whitepaper, threat intelligence, and cybersecurity law & policy | UMGC CMIT 495

Python script to check if any malicious pip packages listed in a text file have been installed.

Complete implementation of Ken Thompson's "Trusting Trust" compiler exploit. Modified TCC with self-replicating backdoors, with my focus on architecture research and exploit development.

Compute SRI from an HTML file and generate a new HTML with the integrity attribute.

Ubel is a fast, cross‑ecosystem security engine that resolves dependencies, generates PURLs, scans them through OSV.dev, and enforces security policies during installation to prevent supply-chain attacks. It works with: PyPI (via ubel-pip), npm (via ubel-npm),and Linux distributions (Ubuntu-based, Debian-based, RHEL, AlmaLinux).