What SBOM, SLSA, and code signing leave uncovered and how behavioral verification closes the gap at execution. Supply chain attack analysis, third-party code risk, and enforcement.

CodeHunter Security Brief cover for Red Hat NPM supply chain attack, June 2026, for the regulated-enterprise CISO

Security Brief: Red Hat NPM and the Mini Shai-Hulud Supply Chain Malware

/in , /by

secbriefsection the claim

Trusted developers and maintainers are now a primary attack surface. When access to a legitimate developer account enables malicious code through established software ecosystems, trust decisions are compromised before execution even begins. Zero Trust for Code addresses this by validating not just how code behaves at runtime, but whether its origin, build context, and delivery pipeline have remained trustworthy throughout the entire software lifecycle.

secbriefsection the threat

A recent supply chain attack involving multiple Red Hat npm packages demonstrates how quickly trusted ecosystems can be weaponized when developer identity is compromised. The attack originated from unauthorized access to a Red Hat employee’s GitHub account, which was used to introduce malicious code into widely consumed npm packages. These packages were then distributed through legitimate channels, embedding malicious code directly into developer environments. The malware, “Mini Shai-Hulud”, targets development workflows, harvesting credentials and sensitive data from build environments while operating under the appearance of trusted dependencies. Unlike traditional malware delivery, this attack bypasses a user’s decision making entirely. The compromise occurs upstream, where developers and systems implicitly trust package sources, maintainers, and update mechanisms.

secbriefsection the problem

  • Trust Anchored to Identity: Package trust is derived from maintainer identity and repository access, not from verification of code integrity over time.
  • Pre-Execution Compromise: Malicious code is introduced before deployment, avoiding the need to evade endpoint or runtime defenses.
  • Pipeline Blind Spot: Most CI/CD pipelines are not designed with the intent to capture the behavioral aspects of code execution, they are primarily focused on building executable and deployable code.
  • Transitive Risk Amplification: A single compromised package propagates across thousands of downstream applications automatically. Security models establish trust at the point of access but do not revalidate that trust as code evolves through the software lifecycle.

Once established, trust becomes persistent. Packages, updates, and dependencies are treated as extensions of that initial decision, regardless of whether the underlying code has changed or been compromised.

This creates a structural condition where malicious code can enter through legitimate channels and execute within trusted workflows without resistance.

The failure is not in individual controls, but in the assumption that trusted sources remain trustworthy over time. Build pipelines, developer environments, and automated processes inherit this trust and execute code accordingly, often with elevated privileges. Zero Trust for Code addresses this by ensuring that trust is continuously validated across the software lifecycle, not implicitly carried forward from a single upstream decision.

secbriefsection the impact

  • Trusted pipelines executing attacker-controlled logic.
  • Credential exposure within development and build environments.
  • Rapid, large-scale propagation through automated dependency updates.
  • Loss of integrity in software supply chains and internal codebases.

secbriefsection whattowatchfor

  • Unexpected changes in widely used dependencies without corresponding version trust validation.
  • Build processes accessing external or unusual endpoints during dependency installation.
  • CI/CD pipelines executing code from newly updated or low-confidence package versions.
  • Developer credentials or tokens being accessed during build-time execution.

The key signal is not abnormal runtime behavior, but rather unexpected trust transitions in the software supply chain.

secbriefsection zt4c value

Zero Trust for Code introduces verification capabilities before, during, and after execution, ensuring that trust is not assumed at any stage of the software lifecycle.

By validating software provenance and enforcing behavioral constraints across development pipelines, organizations can:

  • Prevent compromised code from entering production environments.
  • Detect unauthorized modifications within trusted ecosystems.
  • Maintain control over software integrity even when upstream sources are attacked.

This shifts security from reactive containment to proactive assurance of software trustworthiness. This transforms supply chain risk from an uncontrollable exposure, into a governed, enforceable control point.

It establishes clear ownership over where trust is defined, how it is validated, and when it must be re-evaluated across the software lifecycle. This closes the gap between assumed trust and proven integrity, aligning security controls with the speed and scale of modern software delivery.

secbriefsection ciso action brief

  • Implement code provenance verification across all third-party dependencies.
  • Enforce trust validation for package updates, not just initial adoption.
  • Restrict CI/CD execution privileges to limit exposure from compromised dependencies.
  • Monitor and log build-time behavior, especially external communications or credential access.
  • Establish policy controls for software lineage, including version trust and maintainer validation.

Begin with high-risk environments such as build systems and developer workstations, where compromised code has the greatest systemic impact.

methodology & sources

Analysis based on reporting of the Red Hat npm package compromise and Mini Shai-Hulud malware activity(June 2026), combined with CodeHunters evaluation of software supply chain risk, and dependency trust models.

Download the PDF

Digitally connected supply chain network illustrating complex software execution dependencies and the need to control code behavior across distributed systems

Transportation Industry Software Supply Chain Security: Why Signing and SBOMs Are Not Enough

/in /by

The transportation industry runs on digital infrastructure. Automated ports, cargo tracking systems, logistics management software, GPS-guided fleets: the efficiency gains from digitization are real, and the dependency is deep. So is the exposure. Cyberattacks targeting transportation do not just disrupt operations. They can affect national security, public safety, and the global movement of goods that other industries depend on. The attack surface is wide, the systems are deeply interconnected, and many of the controls used to govern software trust in this sector were designed for a simpler threat environment than the one that exists today.

Third-Party Vendors Are a Trusted Entry Point for Untrusted Code

Transportation companies rely on third-party vendors for logistics software, cloud services, IoT monitoring, and dozens of other operational dependencies. Each of those relationships is a channel through which software enters the environment, and most of those channels are trusted by default.

The SolarWinds attack in 2020 is the clearest illustration of what that trust assumption costs. Compromising a single software vendor exposed 18,000 organizations downstream, including government agencies, enterprises, and critical infrastructure operators who had all vetted and approved that supplier. The code that delivered the payload was signed. It came through the expected update channel. It passed every control designed to evaluate its origin. What those controls did not evaluate was what the code would do when it was executed. That is the gap Zero Trust for Code is built to close.

OT Systems Carry Unique Execution Risk

The convergence of IT and operational technology in transportation creates a security challenge that generic enterprise controls were not designed to address. Autonomous vehicles, smart port systems, and rail networks all depend on OT that was often built without cybersecurity in mind, is expensive and operationally disruptive to update, and is deeply connected to the physical systems that move people and cargo.

The NotPetya attack in 2017 made the consequences of OT compromise concrete. Maersk’s entire shipping operation was crippled, with an estimated $300 million in losses and operations halted across ports worldwide. That attack entered through IT systems and moved laterally into OT environments. Pre-execution behavioral intent analysis evaluates what code will do before it is deployed, including whether its behavioral capabilities are appropriate for the specific environment where it will execute.

What SBOM and Signing Leave Uncovered in Transportation

Software bill of materials documentation and code signing represent meaningful progress in supply chain governance. An SBOM tells you what components are in the software. Code signing confirms who published it. Neither tells you what those components will do when they execute in your specific environment.

A signed update from a compromised vendor is still a compromised update. An SBOM that accurately lists every dependency still cannot tell you whether those dependencies will attempt to communicate with an external command-and-control server when deployed on a port management system. The control that answers what SBOM and signing leave open is pre-execution behavioral analysis: deconstruct the artifact, surface its behavioral capabilities, and issue a deterministic execution verdict before deployment advances.

The CodeHunter Solution for Transportation

CodeHunter helps transportation organizations span the gap between their existing security controls and the execution of governance those controls do not cover. Our platform automatically evaluates executable artifacts at speed and at scale. Every artifact is evaluated for behavioral intent before it is authorized to execute. The verdict is deterministic: Allow, Block, Contain, or Escalate. The evidence is forensic. The decision is auditable, and it happens before the first operational system is exposed.

Zero Trust for Code does not slow down software deployment in transportation environments. It ensures that what gets deployed has earned the right to execute. Find out how CodeHunter integrates into your existing security stack.

Secured data exchange between systems illustrating third-party software execution being verified and controlled before code is allowed to run

Third-Party Integration Risk Management: Monitor to Mitigate

/in /by

In the interconnected world of modern business, managing and mitigating cybersecurity risks posed by third-party vendors and partners has become a critical concern. Breaches can- and do- occur through less secure external entities, posing significant risks to organizations that rely on these vendors. Effectively managing these risks is crucial, as the security of an organization is often only as strong as its weakest link.

Read more

Interconnected circuitry forming a padlock, representing secure control over software execution and the verification of code behavior before it runs

Software Supply Chain Security: Why Pre-Execution Defense Is the Missing Layer 

/in , , /by

Software supply chain attacks are on the rise, and the reason is straightforward. A successful attack on any single link in the chain can spell disaster downstream. As software becomes more complex and interconnected, attackers have more entry points, more trusted channels to exploit, and more cover for the code they introduce.

The deeper problem is structural. Most cybersecurity solutions available today are built to detect known threats. By the time a security team identifies a new attack, the effects have already traveled down the chain. Reactive defenses that wait for something to look wrong are not a supply chain security strategy. They are a cleanup plan.

Defending software supply chains requires answering a question that existing tools were never designed to ask: what will this code do when it executes?

Trusted Sources Are Not Trusted Behavior

Threat actors approach supply chain attacks by undermining code signing, forging their way into a software supply chain under the guise of a known and trusted author. The fundamental problem is that organizations extend trust based on where code came from rather than what it will do.

CodeHunter operates on a different principle: every artifact is untrusted by default, regardless of its source. Where a manual check or preconfigured rule might wave through code from a trusted vendor, CodeHunter’s pre-execution behavioral analysis evaluates what that code is capable of doing before it is allowed to run, every time, without exception.

Software updates present the same risk. A threat actor who compromises a vendor’s update pipeline delivers malicious behavioral capability through a channel the target organization has explicitly trusted. Combing through every update manually would be prohibitively slow and expensive. CodeHunter deconstructs the artifact’s behavior automatically, issuing a deterministic verdict in a fractionof the time it would take an analyst to complete the same review.

Open-Source Code Is Not an Exception

Compromised open-source code is one of the most underestimated supply chain risks. The Linux backdoor discovered in the XZ Utils compression library is a clear example: a single contributor embedded a backdoor into widely trusted code that had been in use for years. Researchers caught it before it reached production systems, but that outcome was fortunate rather than systematic.

The sheer scope of open-source dependencies makes manual review impractical at scale. CodeHunter can be configured to automatically scan entire directories and networks, locally or in the cloud, to identify behavioral capabilities that should not be there. The question is never whether the code looks familiar. The question is what the code will do.

What Humans Miss, Behavioral Intent Analysis Catches

Valid credentials were the preferred initial access technique of cybercriminals last year, with a 71% increase in attacks leveraging stolen account access. Information stealers that harvest those credentials are often delivered through code that looks entirely legitimate. CodeHunter’s pre-execution behavioral analysis evaluates what code is capable of doing at the artifact level, not the filename level. Suspicious behavioral capability is surfaced regardless of how the artifact is packaged, named, or signed.

Unknown Threats Have Behavioral Signatures Too

Not every supply chain threat arrives with a known fingerprint. Behavioral intent analysis does not depend on prior knowledge of the threat. It deconstructs the artifact to surface what it is programmatically designed to do, and a trojan that has never been catalogued still has behavioral characteristics that are present in the artifact before it ever runs.

The Cost of Letting Threats Sit Undetected

The SolarWinds attack remains the clearest illustration of what delayed detection costs. Eighteen thousand customers unknowingly downloaded a malicious update, and the intrusion went undetected long enough to cause an estimated $90 million in insured losses. IBM put the average cost to remediate a software supply chain compromise at $4.63 million in 2023. The earlier a malicious artifact is identified, the less damage it causes, and CodeHunter is designed to catch artifacts at the threshold, before they execute, not after the damage is done.

Empower Your Software Supply Chain Security

CodeHunter’s combination of scalability, automation, and pre-execution behavioral analysis makes it the practical defense for organizations that cannot afford to let signed, trusted-looking code run unchecked. Speak with our team to learn more about how CodeHunter applies Zero Trust for Code to software supply chain security.