The npm and developer-tooling attacks of the last year all passed a trust signal that was working correctly: TanStack shipped 84 malicious packages with valid SLSA provenance, DAEMON Tools shipped a signed backdoor, the Nx Console extension served its payload from the real nrwl/nx repo, and Axios...

Source: [HackerNoon](https://hackernoon.com/your-software-supply-chain-only-proves-where-code-came-from-not-whether-its-safe?source=rss)

Sponsored