Mastodawn

Elastic's security team has released Supply Chain Monitor, an internal tool that monitors top npm and PyPI packages for supply chain compromises, a tool that also caught the recent Axios incident

https://www.elastic.co/security-labs/how-we-caught-the-axios-supply-chain-attack

https://github.com/elastic/supply-chain-monitor

How we caught the Axios supply chain attack — Elastic Security Labs

Joe Desimone shares the story of how he caught the Axios supply chain attack with a proof of concept tool built in an afternoon.

Show thread

threatchain 24m ago

@campuscodi Great to see Elastic open-sourcing this! The fact they caught the Axios incident shows how effective proactive monitoring can be. Have you noticed if this approach scales well for orgs monitoring hundreds of dependencies across multiple package managers?