Catalog of real-world software supply-chain attacks reproduced as safe harnesses, each with cilock detection demonstrated by live CI. Trivy tag-rewrite, LiteLLM .pth stealer, Nx VS Code, actions-cool hijack, Shai-Hulud npm worm, Microsoft durabletask PyPI, GitHub source disclosure.
attestation attack-detection devsecops durabletask in-toto slsa supply-chain-security sigstore opa-policy cve-reproduction shai-hulud supply-chain-attack secretscan nx-attack actions-cool
-
Updated
May 22, 2026 - Open Policy Agent