SANS Internet Storm Center Highlights Escalating Software Supply Chain Attacks

The May 20, 2026, SANS Internet Storm Center Stormcast episode highlights escalating software supply chain attacks, including the compromise of Tanstack, a project with SLSA Level 3 verification—indicating digitally signed and audited build processes. Recent campaigns, such as Team PCP, have stolen credentials and GitHub access from both open-source and proprietary projects, demonstrating that supply chain risks now extend beyond open-source software. A key incident involved the "issues helper" GitHub Action, where attackers relabeled tags to redirect users to malicious versions that exfiltrate secrets. Microsoft also reported targeted attacks exploiting Azure’s self-service password reset feature, combining social engineering with MFA bypasses to gain cloud infrastructure access. The episode emphasizes two core defenses: assuming compromise as a baseline and implementing enterprise-wide credential and secret management, particularly for CI/CD pipelines. Additional mitigation includes auditing password reset requests and locking dependencies to specific versions to prevent tampering.