{"id":13668492,"url":"https://github.com/IQTLabs/software-supply-chain-compromises","last_synced_at":"2025-04-26T22:31:25.522Z","repository":{"id":41244106,"uuid":"294407668","full_name":"IQTLabs/software-supply-chain-compromises","owner":"IQTLabs","description":"A dataset of software supply chain compromises. Please help us maintain it!","archived":true,"fork":false,"pushed_at":"2022-09-16T15:08:21.000Z","size":319,"stargazers_count":127,"open_issues_count":14,"forks_count":29,"subscribers_count":18,"default_branch":"master","last_synced_at":"2024-08-02T08:06:55.314Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/IQTLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-09-10T12:47:33.000Z","updated_at":"2024-07-23T15:21:22.000Z","dependencies_parsed_at":"2023-01-18T11:46:13.405Z","dependency_job_id":null,"html_url":"https://github.com/IQTLabs/software-supply-chain-compromises","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IQTLabs%2Fsoftware-supply-chain-compromises","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IQTLabs%2Fsoftware-supply-chain-compromises/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IQTLabs%2Fsoftware-supply-chain-compromises/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IQTLabs%2Fsoftware-supply-chain-compromises/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/IQTLabs","download_url":"https://codeload.github.com/IQTLabs/software-supply-chain-compromises/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224048743,"owners_count":17247078,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T08:00:37.459Z","updated_at":"2024-11-11T04:31:13.602Z","avatar_url":"https://github.com/IQTLabs.png","language":null,"funding_links":[],"categories":["Data","Talks, articles, media coverage and other reading","Others (1002)","Others"],"sub_categories":["Open Source","Getting started and staying fresh"],"readme":"# Software Supply Chain Compromises - A Living Dataset\n\nThe `.csv` file in this repository represents the work by **IQT Labs** to identify\nand create a living (though not breathing) dataset of publicly reported software\nsupply chain compromises.\nDan Geer, Bentz Tozer, and John Speed Meyers used this dataset for an article\nanalyzing software supply chain compromises (see the citation below).\n\nWe want and need help to maintain this dataset. Please help us maintain it by\nsubmitting pull requests to identify mistakes we made (we're human after all)\neither of commission or by omission. Importantly, this dataset will quickly go\nout of date unless new attacks are added.\n\n**Some conventions...**\n\n- All table entries are sorted according to their `report_date`, since it is the only non-null sortable field.\n- All dates in the table are in `m / d / yyyy` format.\n\n**If you are interested in software supply chain security, we recommend recent\nresearch and initiatives such as...**\n\n- Software Bill of Materials effort, National Telecommunications and\n  Information Administration.\n  [Link](https://www.ntia.gov/SBOM).\n\n- Trey Herr, William Loomis, Stewart Scott, June Lee, \"Breaking Trust: Shades of\n  Crisis across an Insecure Software Supply Chain,\" The Atlantic Council, 2020.\n  [Link](https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf).\n\n- OpenSSF, Open Source Security Foundation, a Linux Foundation project.\n  [Link](https://openssf.org/).\n\n- Marc Ohm, Backstabber's Knife Collection, an open source malware research\n  repository.\n  [Link](https://dasfreak.github.io/Backstabbers-Knife-Collection/).\n\n- In-toto Project, Software Supply Chain Compromises, New York University Secure\n  Systems Lab.\n  [Link](https://github.com/in-toto/supply-chain-compromises).\n\n\n**You can find IQT Lab's own public research on software supply chain security\nbelow...**\n\n- Dan Geer, Bentz Tozer, and John Speed Meyers, \"Counting Broken Links: A\n  Quant's View of Software Supply Chain Security,\" USENIX, December 2020.\n  [Link](https://www.usenix.org/system/files/login/articles/login_winter20_17_geer.pdf).\n\n- John Speed Meyers and Bentz Tozer, \"pypi-scan: A Tool for Scanning the Python\n  Package Index for Typosquatters,\" IQT Blog, October 16, 2020.\n  [Link](https://www.iqt.org/pypi-scan/),\n  [GitHub Repository](https://github.com/IQTLabs/pypi-scan).\n\n- John Speed Meyers and Bentz Tozer, \"Bewear: Python Typosquatting is About More\n  than Typos,\" IQT Blog, September 30, 2020.\n  [Link](https://www.iqt.org/bewear-python-typosquatting-is-about-more-than-typos/).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FIQTLabs%2Fsoftware-supply-chain-compromises","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FIQTLabs%2Fsoftware-supply-chain-compromises","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FIQTLabs%2Fsoftware-supply-chain-compromises/lists"}