| name | supply-chain-threat-awareness |
| description | Supply chain threat posture assessment for projects and packages. Use when reviewing a project's .github/workflows/*.yml, package.json, pyproject.toml, requirements.txt, pixi.toml, or lockfiles for exposure to active 2025–2026 campaigns. Covers Shai-Hulud (500+ npm packages), TeamPCP (Trivy, Checkmarx, LiteLLM, Bitwarden CLI, SAP CAP via tag hijacking), axios (100M weekly downloads), and LiteLLM .pth persistence — all attack patterns CVE scanners miss. |
| metadata | {"references":["references/campaigns/shai-hulud.md","references/campaigns/teampcp.md","references/campaigns/axios.md","references/campaigns/litellm-pth.md","references/posture-report-template.md"]} |
Supply Chain Threat Awareness
Threat Model
Maintainer account takeover and release-tag hijacking of widely-trusted packages are the dominant supply-chain threats in 2025–2026.
CVE Scanner Limitations
Treat scanner-clean as necessary, not sufficient — the audit below covers what advisories miss.
Active Campaigns
Each campaign has a deep-dive reference. Load on demand based on which applies to the project under review.
- Shai-Hulud — 500+ npm packages compromised via maintainer account takeover. →
references/campaigns/shai-hulud.md
- TeamPCP — Trivy, Checkmarx, LiteLLM, Bitwarden CLI, SAP CAP via release-tag hijacking (March 2026). →
references/campaigns/teampcp.md
- axios — 100M weekly npm downloads; maintainer account compromise. →
references/campaigns/axios.md
- LiteLLM 1.82.8 — Malicious
.pth file for persistent Python execution. → references/campaigns/litellm-pth.md
Audit Workflow
Run this assessment in order. Each step has a verifying command. Stop and remediate before continuing if any FAIL is critical (lockfile not committed, no --ignore-scripts, mutable action refs).
Step 1 — Lockfile hygiene
git ls-files | grep -E '(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|poetry\.lock|uv\.lock|pixi\.lock|conda-lock\.yml|Cargo\.lock|go\.sum)$'
grep -rnE '(npm ci|yarn install --frozen-lockfile|pnpm install --frozen-lockfile|uv sync --frozen|poetry install|pixi install|cargo build --locked)' .github/workflows/
If any FAIL: STOP and fix before continuing — without lockfile hygiene, every other check is moot.
Step 2 — Action pinning
grep -nE '^\s*-?\s*uses:\s+[^@]+@[^a-f0-9]' .github/workflows/*.yml || echo "All uses: refs SHA-pinned"
If FAIL: run /supply-chain-pin-actions (dry-run first), then re-verify.
Step 3 — Install-time execution
test -f package.json && jq '.scripts | {preinstall, install, postinstall} // empty' package.json
grep -rE '(npm ci.*--ignore-scripts|ignore-scripts\s*=\s*true)' .github/workflows/ .npmrc 2>/dev/null || echo "WARN: no --ignore-scripts found"
command -v python >/dev/null && find "$(python -c 'import site; print(site.getsitepackages()[0])' 2>/dev/null)" -name "*.pth" -exec grep -lE '^(import|exec|os\.|subprocess)' {} \; 2>/dev/null
If FAIL: see references/campaigns/shai-hulud.md (postinstall vector) or references/campaigns/litellm-pth.md (.pth vector).
Step 4 — Dependency velocity
git log --follow --pretty=format:"%h %ai %s" -10 package-lock.json 2>/dev/null
git log --follow --pretty=format:"%h %ai %s" -10 uv.lock 2>/dev/null
git log --follow --pretty=format:"%h %ai %s" -10 pixi.lock 2>/dev/null
If FAIL: hold new deps ≥7 days before merging (most malicious releases yanked within hours).
Step 5 — SBOM and provenance
grep -rE '(syft|cyclonedx|spdx|cosign|sigstore|--provenance|attest-build-provenance)' .github/workflows/
If FAIL: see supply-chain-sbom-provenance skill.
Output: Posture Report
When invoked for a posture review, produce the Markdown report defined in references/posture-report-template.md. The template specifies the required tables (campaign applicability, step results, top 3 priority actions) and the finding-entry rules (campaign name, file:line, blast radius, remediation command or skill).