Software "Supply Chain Poisoning" is gaining momentum, the National Security Department issues a security alert.

The State Security Department released a security advisory article today. The National Internet Security Bulletin Center has monitored multiple recent cases of supply chain poisoning attacks, involving two core supply chain scenarios: open source software repositories and commercial tools. The related "supply chain poisoning" events exhibit characteristics of strong attack concealment, wide impact, high level of harm, and fast spread, leading to serious consequences such as credential theft, remote code execution, and sensitive data leakage. The software supply chain is the full process chain from component acquisition, development integration, version distribution, to delivery to end users. Unlike direct attacks on end users, "supply chain poisoning" is a typical "upstream contamination, downstream transmission" model. Attackers implant malicious programs into various software by hijacking developer official accounts, tampering with open source code repository source code, contaminating software installation packages and release versions, etc. As software is released and updated, these hidden "tumors" are continuously delivered to a large number of terminal devices.