“Recent attacks show that hackers continue to use the same tricks to sneak poor code in popular software registers,” writes Selinux-Nerd who has been Slashdot reader for years, and suggests that “the real problem is how these registers have been built up, so that these attacks will probably continue to take place.” After all, NPM was not the only software library that was hit by a supply chain attack, argues the Linux security blog. “Pypi and Docker Hub were both confronted with their own compromises in 2025, and the overlaps are impossible to ignore.”
Phishing has always been the low -hanging fruit. In 2025 it was not only effective once; It was the starting point for multiple infringements on the register, all close together in different ecosystems … The real problem is not that phishing took place. It is that there were not enough safety measures to alleviate the impact. One stolen password should not be sufficient to poison a whole ecosystem. But in 2025 that is exactly how it took place …
Even if every manager were to see every lures, the registers left holes that attackers could walk through without much effort. The problem was not social engineering this time. It was how little verification there was between an attacker and the button ‘publishing’. Weak authentication and missing origin were the silent factors in 2025 … Sometimes the register itself offers the way in. If the error occurs at a register level, managers will not receive a warning, no log entry or any indication that something has gone wrong. That makes it so dangerous. The compromise appears to be a normal update until it reaches the electricity system … It shifts the risk of human errors to systemic design.
And as soon as that weakly authenticated code comes in, it does not always disappear quickly, which immediately leads to the persistence problem … Once an artifact has been published, it will spread to Mirrors, caches and derived builds. By removing the original upload, not all copies are deleted … From our perspective at LinuxSecurity this is not about cleaning up slowly; It’s about architecture. Registers do not have a universally reliable ‘Kill Switch’ as soon as confidence has been violated. Even after removal, poisoned basic images via mirrors, caches and derived builds, which means that developers can continue to bring them in long after the register itself is ‘clean’.
The article concludes: “For us at LinuxSecurity, the real vulnerability is not phishing e-mails or stolen tokens-it is the way in which registers are built up. They distribute code without security guarantees. That design ensures that supply chain attacks will not be rare abnormalities.” Br>
So in a world where “the only safe assumption is that the code you use may already have been compromised,” they claim, developers must look at checks they can enforce themselves:
- Verify artifacts with signatures or origin tools.
- Attach dependencies to specific, trusted versions.
- Generate and follow SBOMs, so that you know exactly what is in your pile.
- Scan continuously, not just at the time of installation.
