Supply Chain

Cybersecurity researchers have discovered vulnerable code in outdated Python packages that could pave the way for a supply chain compromise attack on the Python Package Index (PyPI) via a domain takeover technique. Software supply chain security company ReversingLabs identified the vulnerability in bootstrap files provided by a build and deployment automation tool called zc.buildout. The Risk of Takeover by Legacy Packages The problem lies in an old bootstrap script (bootstrap.py) that was used with zc.buildout to initialize the environment. This script had the ability to install the “Distribute” packaging utility, a short-lived fork of the Setuptools project. To do this, the Distribute installation script (distribute_setup.py) is downloaded from the python-distribute[.]org domain. ...

Alarming Increase in Supply Chain Gaps According to BlueVoyant’s annual State of Supply Chain Defense: Annual Global Insights Report 2025, an overwhelming majority of organizations (97%) have been negatively impacted by a supply chain breach. This data represents a significant increase compared to the 81% recorded in 2024, pointing out the growing vulnerability of companies to third-party risks. Increasing Maturity in Third Party Risk Management (TPRM) Despite the worrying outlook, the report highlights that organizations are intensifying their efforts to prevent, mitigate and resolve supply chain incidents more effectively. ...