Supply · GitHub Blog
Securing the open source supply chain across GitHub
Compiled by KHAO Editorial — aggregated from 2 outlets. See llms.txt for citation guidance.
✓ KHAO Verified
Over the past year, a new pattern has emerged in attacks on the open source supply chain.
Key facts
- Npm is the largest package repository in the world, with over 30,000 packages published each day
- At this scale, even a 1% false-positive rate would disrupt hundreds of legitimate publishes daily
- When an attack happens, they publish information about compromised dependencies in their Advisory Database
- In late 2025 the Shai-Hulud attacks motivated a revamped security roadmap for npm, which they talked about in Their plan for a more secure npm supply chain and Strengthening supply chain security
Summary
Let’s talk through what you can do today to secure your GitHub Actions workflows, what work GitHub has been doing to secure open source, and what to expect in the coming months for further security enhancements. Many of these attacks start by looking for exploitable GitHub Actions workflows. The most critical action you can take is to enable CodeQL to review your GitHub Actions workflow implementation (available for free on public repositories) to inspect your workflows for security best practices. Next, review their detailed actions security guidance.