How to landmine an org that uses the gitlab package registry:

The gitlab options {maven,npm,pypi}_package_requests_forwarding all default to on. If you register the org's pkgs on the public registry, their gitlab is going to serve your code if they ever delete their private pkg.

Stay tuned in 2023 for offensive supply-chain security https://github.com/kpcyrd/sh4d0wup 🦝

QT kpcyrd: The hardest part of writing a malicious container registry is how fragmented the ecosystem is. Each of these are valid responses when pulling a specific container image by tag.

Dear doordash engineers, it could be worse: at least you're not asked to be an opensource worker

QT kpcyrd: Since people are tweeting about delivery workers right now: this is how much I made last month delivering food 2 days a week on minimum wage vs how much I made working on opensource 7 days a week (and I'm already blessed it's that high 🙏)

Reminder that all my supply-chain content is now tweeted from this account (even tho there's overlap with offensive security in this one)

QT kpcyrd: Would you be interested in a weaponized tool that demonstrates risks of signing-key-abuse for real life update systems, if you happened to have access to the right private keys? #supplychainsecurity

pew pew!

QT kpcyrd: This is pretty big for me, after 7 years one of my repos has reached 1k github stars for the first time