About this catalog

supplychainattack.org is a neutral, public reference that catalogs confirmed software, hardware, and vendor supply chain attacks. It exists to be a stable, citable record: one entry per incident, each with a permanent URL. It is not a product, not a scanner, and not a vendor blog.

Why we built this

We are vulnerability researchers and supply chain attack detectors. Our days are spent tracking the constant stream of compromised packages, hijacked maintainer accounts, and poisoned build pipelines that hit the software ecosystem every week. Over time we kept running into the same wall: staying current is genuinely hard. The information is scattered across vendor blogs, advisory databases, mailing lists, and social media, and it moves fast. There was no single, neutral place to see what had just happened and to record it in a consistent, citable way.

So we built one. supplychainattack.org is the centralized, always-current record we wished already existed: every confirmed incident in one place, each with a permanent URL and links back to the original sources.

We also built it with a specific group in mind. Enterprise supply chain security tooling is powerful, but it is expensive, and plenty of teams cannot justify that budget. Those teams still need to know the moment a package or tool they depend on is compromised. Our aim is to level that field: anyone can follow the catalog or subscribe to our RSS feed and stay informed of the latest confirmed incidents as they happen, for free. No account, no contract, no paywall.

Neutrality stance

Entries describe what happened and what is publicly documented. We do not rank vendors, assign blame beyond what sources establish, or promote any product or service. Language is kept factual and restrained. Severity reflects documented impact and reach, not commercial interest. Where facts are contested, the incident is marked disputed and the disagreement is described rather than resolved.

The inclusion bar

An incident is included only when it is confirmed, which we define as:

At least one credible public advisory or vendor confirmation establishing that a supply chain compromise occurred.

Qualifying sources include national vulnerability databases (e.g. NVD), vendor security advisories, the maintainers or registries involved, and established security research organizations. Rumors, single-source social media claims, and unconfirmed reports are not included until they meet this bar. Every entry lists its sources so readers can verify the basis for inclusion.

What this is not

• Not a scanning, detection, or monitoring tool.
• Not a SaaS product: there are no accounts, logins, or paid tiers.
• Not a comprehensive threat feed: indicators of compromise are included for reference, but the canonical IoC source is always the linked advisory.

Corrections

Accuracy matters more than speed. If an entry is wrong or out of date, use the “Suggest a correction” link on the incident page. Corrections to factual errors take priority over new entries.