| 2608 | Supply Chain Attacks via GitHub.com Releases |
Logic flaw |
GitHub |
Nightwatch Cybersecurity (@nightwatchcyber) |
Bug Bounty | 2021-04-25 | 2023-06-13 |
| 2596 | PHP Supply Chain Attack on Composer |
Argument injection
RCE
Supply chain attack
Security code review |
Packagist |
Thomas Chauchefoin (@swapgs) |
Bug Bounty | 2021-04-29 | 2023-06-13 |
| 2048 | WordPress Plugin Confusion: How an update can get you pwned |
Supply chain attack
WordPress plugin confusion
WordPress theme confusion |
NA |
Kamil Vavra (@vavkamil) |
Bug Bounty | 2021-11-25 | 2023-06-13 |
| 1856 | Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments |
Supply chain attack
CI/CD |
Argo CD |
Apiiro’s Security Research |
Bug Bounty | 2022-02-03 | 2023-06-13 |
| 1845 | Insecure Bootstrap Process in Oracle Cloud CLI |
Supply chain attack |
Oracle |
Nightwatch Cybersecurity (@nightwatchcyber) |
Bug Bounty | 2022-02-06 | 2023-06-13 |
| 1826 | "Zero-Days" Without Incident - Compromising Angular via Expired npm Publisher Email Domains |
Supply chain attack |
GitHub |
Matthew Bryant (@IAmMandatory) |
Bug Bounty | 2022-02-11 | 2023-06-13 |
| 1002 | Securing Developer Tools: A New Supply Chain Attack on PHP |
Argument injection
RCE
Supply chain attack
Security code review |
Packagist |
Thomas Chauchefoin (@swapgs) |
Bug Bounty | 2022-10-04 | 2023-06-13 |
| 970 | Threat Alert: Private npm Packages Disclosed via Timing Attacks |
Timing attack
Supply chain attack |
GitHub |
Yakir Kadkoda |
Bug Bounty | 2022-10-12 | 2023-06-13 |
| 902 | Attacking The Software Supply Chain With A Simple Rename |
Repojacking
Supply chain attack |
GitHub |
Aviad Gershon (@aviadgershon) |
Bug Bounty | 2022-10-26 | 2023-06-13 |
| 899 | Hijacking AUR Packages by Searching for Expired Domains |
Subdomain takeover
Supply chain attack |
NA |
Joren Vrancken |
Bug Bounty | 2022-10-26 | 2023-06-13 |
| 750 | Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable |
Supply chain attack |
GitHub
Rust |
Noam Dotan |
Bug Bounty | 2022-12-01 | 2023-06-13 |
| 334 | Subdomain Takeover: How a Misconfigured DNS Record Could Lead to a Huge Supply Chain Attack |
Subdomain takeover
Supply chain attack |
GitHub |
Gal Nagli (@naglinagli) |
Bug Bounty | 2023-03-08 | 2023-06-13 |
| 249 | Remote Code Execution Vulnerability in Azure Pipelines Can Lead To Software Supply Chain Attack |
RCE
CI/CD
Supply chain attack |
Microsoft (Azure Pipelines) |
Nadav Noy |
Bug Bounty | 2023-03-30 | 2023-06-13 |
| 212 | Hijacking Arch Linux Packages by Repo Jacking GitHub Repositories |
Repojacking
Supply chain attack |
NA |
Joren Vrancken |
Bug Bounty | 2023-04-10 | 2023-06-13 |
| 211 | CVE-2023-1767 - Stored XSS on Snyk Advisor service can allow full fabrication of npm packages health score |
Stored XSS
Markdown XSS
Supply chain attack |
Snyk |
Gal Weizman (@WeizmanGal) |
Bug Bounty | 2023-04-10 | 2023-06-13 |
| 182 | #BrokenSesame: Accidental write’ permissions to private registry allowed potential RCE to Alibaba Cloud Database Services |
Cloud
RCE
Container escape
Kubernetes
Privilege escalation
Lateral movement
Supply chain attack
Cross-tenant vulnerability |
Alibaba |
Ronen Shustin (@ronenshh) |
Bug Bounty | 2023-04-19 | 2023-06-13 |
| 164 | Stealing GitHub staff%27s access token via GitHub Actions |
CI/CD
Token leak
Privilege escalation
Supply chain attack |
GitHub |
RyotaK (@ryotkak) |
Bug Bounty | 2023-04-22 | 2023-06-13 |
