A routine software update. No phishing. No sketchy download. Then a security team finds the unthinkable: trusted code has been hijacked, and the breach rode in through the exact channels engineers rely on every day. I walk through the supply chain attacks that piled up across April and May 2026, including poisoned open source packages tied to TanStack and trojanized Daemon Tools installers, plus the rapid-fire abuse of major software registries like NPM, PyPI, and Docker Hub. 

The most important twist is what the malware is hunting. These campaigns aren’t primarily chasing customer data. They’re after the assets sitting on developer laptops and flowing through build servers: developer credentials, API keys, cloud tokens, SSH keys, and the permissions that turn “one compromised machine” into “access everywhere.” I explain why this shift is happening now through two lenses: trust (software is assembled, not written from scratch) and leverage (compromise one popular dependency and you reach everyone who installs it). 

Then we get practical about software supply chain security and CI/CD security. I break down how a poisoned pipeline can still output packages that look legitimate, complete with valid signatures, and why that makes detection so hard. Finally, I lay out five moves you can take right now: build an SBOM, treat CI/CD like production, watch for suspicious dependency changes and too-fresh releases, rotate to short-lived scoped secrets, and patch known-bad tool versions quickly. Subscribe, share this with a developer or leader who approves tooling, and leave a review so more teams stop trusting updates on autopilot.

Is there a topic/term you want me to discuss next? Text me!!

YouTube more your speed? → https://links.sith2.com/YouTube  
Apple Podcasts your usual stop? → https://links.sith2.com/Apple  
Neither of those? Spotify’s over here → https://links.sith2.com/Spotify  
Prefer reading quietly at your own pace? → https://links.sith2.com/Blog  
Join us in The Cyber Sanctuary (no robes required) → https://links.sith2.com/Discord  
Follow the human behind the microphone → https://links.sith2.com/linkedin  
Need another way to reach me? That’s here → https://linktr.ee/rich.greene