In our recent webinar, "Securing Cloud Software Supply Chain: Strategies and Best Practices," cloud security expert Anjali Shukla unpacked real-world risks and shared actionable strategies to strengthen your cloud software supply chain.

Fill in the form to watch the session on-demand. Here is the overview of the session:

Understanding the Cloud Software Supply Chain

Before diving into attacks, Anjali emphasized a foundational view of how the software supply chain mirrors traditional manufacturing. It starts with raw materials, such as source code and packages, and moves through build and deployment processes. The final product runs in production, potentially across VMs, containers, Kubernetes clusters, or serverless functions in cloud environments like AWS, GCP, and Azure.

Modern cloud providers offer native services at every stage:

• Code Repos: GitHub, Azure Repos, Cloud Shell
• CI/CD: Jenkins, Azure Pipelines, CodeBuild/CodePipeline, Cloud Build
• Artifact Registries: GCP Artifact Registry, AWS ECR, Azure Container Registry
• Deployment Targets: EKS, GKE, Azure Functions, EC2, Compute Engine

Real-World Case Studies: How Supply Chains Get Compromised

1. Malicious npm Package (rand-user-agent) - Attackers published three backdoored versions of a dormant package to npm, exploiting trust in recent releases. The obfuscated code exfiltrated system data using C2 communication, affecting over 40,000 organizations.
Lesson - Always verify package provenance, use SBOMs, and avoid blindly updating to the latest versions.

2. GitHub Actions Abuse via PAT Token - A compromised Personal Access Token with write access was used to redirect a trusted version tag (TJ-actions/changed-files) to a malicious commit. This injected secrets-leaking payloads into CI logs.
Lesson - Avoid version tags; instead, pin commits via SHA. Restrict token permissions. Monitor workflow logs for anomalies.

3. Terraform Plan Remote Code Execution - A malicious Terraform provider was crafted and published to the public registry. When referenced in a pull request, it triggered remote code execution (RCE) during the terraform init and plan stages, resulting in credentials being exfiltrated via pipeline logs. Lesson - Pin plugin sources to private, audited directories. Never fetch providers from untrusted registries.

Common Blind Spots Organizations Overlook

• Security as an afterthought: Many firms rely on pentests for audit checkboxes rather than building secure-by-design pipelines.
• Ignoring SCA scan results: Even when vulnerabilities are flagged, remediation is often deprioritized.
• Poor access control in CI/CD tools: Public Jenkins instances with hardcoded credentials are a goldmine for attackers.

Proactive Strategies

• Adopt SBOMs: Know what’s in your code. Tools like Syft and Grype help track components and their risks.
• Use SHA over tags: Prevent redirect attacks in GitHub Actions and container pulls.
• Monitor artifacts and registries: Detect unauthorized uploads or tag changes early.
• Integrate SCA into CI/CD: Set thresholds that break builds on critical vulnerabilities.
• Restrict Terraform plugin sources: Limit to internal or vetted registries.

As cloud ecosystems grow more interconnected, supply chain attacks are no longer rare; they are expected to occur. But with the right practices in place, organizations can significantly reduce their exposure.

Watch the full webinar to explore the techniques and examples in more detail.