How Attackers Use Developer Machines to Breach the Software Supply Chain - May 07, 2026

In April, three major supply chain campaigns hit npm, PyPI, and Docker Hub in just 48 hours, and while the ecosystems were different, the objective was the same: steal credentials from developer environments and CI/CD pipelines. The malware targeted API keys, cloud credentials, SSH keys, GitHub tokens, npm tokens, environment variables, and more, turning developer machines and build systems into high-value credential vaults for attackers.

Join Guillaume Valadon from GitGuardian and Jenn Gile, co-founder of OpenSourceMalware, for a timely conversation on how modern software supply chain attacks are evolving, why developer environments are now prime targets, and what security teams can do to reduce exposure before the next malicious package, compromised CLI, or poisoned dependency update lands in their pipeline.

We’ll unpack recent incidents including the Checkmarx KICS compromise, the CanisterSprawl npm worm, the xinference PyPI attack, and the @bitwarden/cli compromise, where attackers used techniques like install-time credential theft, GitHub as command-and-control, Cloudflare exfiltration domains, and automated dependency update paths to reach sensitive environments.

What you’ll learn

How recent npm, PyPI, Docker Hub, and CLI compromises were designed to harvest secrets at scale
Why dependency bots, package managers, and AI coding assistants can expand the blast radius of a supply chain attack
How to assess what credentials were exposed, where they lived, and whether they need to be rotated
Practical steps to strengthen secrets detection, developer environment security, and incident response workflows

Learn more about GitGuardian at:
https://www.gitguardian.com/
and
https://blog.gitguardian.com/

Get free OSS malware threat intel:
https://opensourcemalware.com/

Learn about social engineering tactics used to compromise OSS maintainers: https://opensourcemalware.com/blog/social-engineering-playbook