Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software possible. Recently, three separate campaigns hit npm, PyPI, and Docker Hub in a 48-hour window, and all three targeted secrets from developer environments and CI/CD pipelines, including API keys, cloud credentials, SSH keys, and tokens. This is an ongoing concern and is self-propagating, as seen in attacks like the "mini Shai Hulud" campaigns.
That pattern should change how security teams think about the software supply chain.
Traditionally, security focused on shared systems like source code repositories, CI/CD platforms, artifact registries, package managers, and cloud environments. The goal was to protect production workloads and data. We absolutely still need to focus on these areas, but it is an incomplete picture.
Modern software delivery begins before code reaches Git. It begins on the developer workstation, where code is written, dependencies are installed, credentials are tested, AI assistants are prompted, containers are built, and trusted actions begin.
Developer workstations are a real part of the software supply chain. Treating them as 'just' ordinary endpoints leaves gaps among endpoint security, identity security, application security, and supply chain governance.
