Supply Chain Guard Automated detection and remediation of software supply chain attacks across npm, PyPI, crates.io, GitHub Actions, and CI/CD pipelines. Built from real-world attack intelligence gathered through March 31, 2026. When to Use This Skill Use this skill when: - The user asks to audit a project's dependencies for security issues - Before deploying code to production - When investigating a potential supply chain compromise - When the user mentions a recent supply chain attack and wants to check their projects - As a regular security check in development workflows - When setting up…

\\n'\"$USER_SITE\"\n\n while IFS= read -r site_dir; do\n [[ -d \"$site_dir\" ]] || continue\n while IFS= read -r -d '' pth_file; do\n if grep -qE \"^import |^exec|^eval|subprocess|os\\.system|os\\.popen|__import__\" \"$pth_file\" 2>/dev/null; then\n alert \"Suspicious .pth file with code execution: $pth_file\"\n echo \" Content preview:\"\n head -5 \"$pth_file\" | while read -r line; do echo \" $line\"; done\n fi\n if [[ \"$(basename \"$pth_file\")\" == \"litellm_init.pth\" ]]; then\n alert \"LiteLLM persistence IOC: litellm_init.pth found at $pth_file — This executes on EVERY Python startup.\"\n fi\n done \u003c \u003c(find \"$site_dir\" -name \"*.pth\" -print0 2>/dev/null)\n done \u003c\u003c\u003c \"$ALL_SITES\"\nelse\n echo \" python3 not found. Skipping .pth scan.\"\nfi\n\n# ============================================================\n# PHASE 4: Check for PyPI token exposure\n# ============================================================\necho \"\"\necho -e \"${CYAN}── Phase 4: PyPI credential exposure check ──${NC}\"\n\nPYPIRC=\"$HOME/.pypirc\"\nif [[ -f \"$PYPIRC\" ]]; then\n warn \".pypirc found at $PYPIRC — Contains PyPI publishing credentials. Ensure token has minimal scope.\"\n if grep -q \"password\" \"$PYPIRC\" 2>/dev/null; then\n warn \".pypirc contains a password field. Use scoped API tokens instead.\"\n fi\nfi\n\nif env | grep -qi \"PYPI\\|TWINE\" 2>/dev/null; then\n warn \"PyPI/Twine credentials found in environment variables. Rotate if any compromise suspected.\"\nfi\n\n# ============================================================\n# PHASE 5: Filesystem IOC scan\n# ============================================================\necho \"\"\necho -e \"${CYAN}── Phase 5: Filesystem IOC scan ──${NC}\"\n\nfor ioc in \"${FS_IOCS[@]}\"; do\n if [[ -e \"$ioc\" ]]; then\n alert \"Filesystem IOC detected: $ioc — System may be compromised.\"\n fi\ndone\n\nif command -v systemctl &>/dev/null; then\n for svc in \"pgmon.service\" \"sysmon.service\"; do\n if systemctl --user is-enabled \"$svc\" &>/dev/null 2>&1; then\n alert \"TeamPCP persistence mechanism: systemd user service $svc is enabled.\"\n fi\n done\nfi\n\nif command -v crontab &>/dev/null; then\n CRON=$(crontab -l 2>/dev/null || true)\n if echo \"$CRON\" | grep -qE \"pgmon|sysmon|\\.fonts-unix|icp0\\.io\" 2>/dev/null; then\n alert \"Suspicious cron entry found matching known IOC patterns.\"\n fi\nfi\n\n# ============================================================\n# PHASE 6: Check Rust crates (if Cargo.lock present)\n# ============================================================\necho \"\"\necho -e \"${CYAN}── Phase 6: Checking Rust dependencies (if present) ──${NC}\"\n\nCARGO_LOCKS=()\nwhile IFS= read -r -d '' f; do\n CARGO_LOCKS+=(\"$f\")\ndone \u003c \u003c(find \"$PROJECT_DIR\" -maxdepth 3 -name \"Cargo.lock\" -not -path \"*/target/*\" -print0 2>/dev/null)\n\nif [[ ${#CARGO_LOCKS[@]} -gt 0 ]]; then\n MALICIOUS_CRATES=(\"chrono_anchor\" \"dnp3times\" \"time_calibrator\" \"time_calibrators\" \"time-sync\")\n for cargo_lock in \"${CARGO_LOCKS[@]}\"; do\n echo \" Scanning: $cargo_lock\"\n for crate in \"${MALICIOUS_CRATES[@]}\"; do\n if grep -q \"name = \\\"$crate\\\"\" \"$cargo_lock\" 2>/dev/null; then\n alert \"Malicious Rust crate in $cargo_lock: $crate — Credential stealer targeting .env files. Remove immediately.\"\n fi\n done\n done\nelse\n echo \" No Cargo.lock found.\"\nfi\n\n# ============================================================\n# RESULTS\n# ============================================================\necho \"\"\necho -e \"${CYAN}══════════════════════════════════════════════════════════${NC}\"\nif [[ $FOUND_ISSUES -eq 0 ]]; then\n echo -e \"${GREEN}✓ No known supply chain IOCs detected.${NC}\"\n echo \" Note: This scanner checks against known IOCs as of 2026-03-31.\"\n echo \" Always pin dependencies and verify package integrity.\"\nelse\n echo -e \"${RED}✗ Found $FOUND_ISSUES potential issue(s).${NC}\"\n echo \"\"\n echo \" Recommended immediate actions:\"\n echo \" 1. Uninstall/downgrade any flagged packages\"\n echo \" 2. Rotate ALL credentials: PyPI tokens, cloud keys, SSH keys, API keys\"\n echo \" 3. Check for persistence: systemd services, .pth files, cron jobs\"\n echo \" 4. Audit CI/CD pipelines that run pip install\"\n echo \" 5. If filesystem IOCs found: treat system as fully compromised\"\nfi\necho -e \"${CYAN}══════════════════════════════════════════════════════════${NC}\"\n\nexit $FOUND_ISSUES\n","content_type":"application/x-sh; charset=utf-8","language":"bash","size":10835,"content_sha256":"65717a268f6bb7db96974360201274e7af398932f7641a3d65397a1029080edf"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Supply Chain Guard","type":"text"}]},{"type":"paragraph","content":[{"text":"Automated detection and remediation of software supply chain attacks across npm, PyPI, crates.io, GitHub Actions, and CI/CD pipelines. Built from real-world attack intelligence gathered through March 31, 2026.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use This Skill","type":"text"}]},{"type":"paragraph","content":[{"text":"Use this skill when:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"The user asks to audit a project's dependencies for security issues","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Before deploying code to production","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When investigating a potential supply chain compromise","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When the user mentions a recent supply chain attack and wants to check their projects","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"As a regular security check in development workflows","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When setting up CI/CD pipelines and wanting to harden them","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When a new supply chain attack is reported and the user wants to verify exposure","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Instructions","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Understand the Project","type":"text"}]},{"type":"paragraph","content":[{"text":"Identify what the user's project uses:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Node.js/npm","type":"text","marks":[{"type":"strong"}]},{"text":": Look for ","type":"text"},{"text":"package.json","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"package-lock.json","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"yarn.lock","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"pnpm-lock.yaml","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Python/PyPI","type":"text","marks":[{"type":"strong"}]},{"text":": Look for ","type":"text"},{"text":"requirements.txt","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"Pipfile","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"pyproject.toml","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"poetry.lock","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Rust/crates.io","type":"text","marks":[{"type":"strong"}]},{"text":": Look for ","type":"text"},{"text":"Cargo.toml","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"Cargo.lock","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CI/CD","type":"text","marks":[{"type":"strong"}]},{"text":": Look for ","type":"text"},{"text":".github/workflows/","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"Dockerfile","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"docker-compose.yml","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Run the Appropriate Scanners","type":"text"}]},{"type":"paragraph","content":[{"text":"The skill includes three specialized scanners plus a unified runner. All scripts are in the ","type":"text"},{"text":"scripts/","type":"text","marks":[{"type":"code_inline"}]},{"text":" directory.","type":"text"}]},{"type":"paragraph","content":[{"text":"Full audit (recommended):","type":"text","marks":[{"type":"strong"}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"bash /path/to/supply-chain-guard/scripts/scan-all.sh /path/to/project","type":"text"}]},{"type":"paragraph","content":[{"text":"Individual scanners:","type":"text","marks":[{"type":"strong"}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# npm/Node.js projects\nbash /path/to/supply-chain-guard/scripts/scan-npm.sh /path/to/project\n\n# Python/PyPI projects\nbash /path/to/supply-chain-guard/scripts/scan-python.sh /path/to/project\n\n# CI/CD pipeline audit\nbash /path/to/supply-chain-guard/scripts/scan-ci.sh /path/to/project","type":"text"}]},{"type":"paragraph","content":[{"text":"Each scanner checks for:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Known compromised packages","type":"text","marks":[{"type":"strong"}]},{"text":" — exact matches against the IOC database","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Malicious versions","type":"text","marks":[{"type":"strong"}]},{"text":" — specific version numbers known to contain malware","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Filesystem IOCs","type":"text","marks":[{"type":"strong"}]},{"text":" — persistence mechanisms left by attackers","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network IOCs","type":"text","marks":[{"type":"strong"}]},{"text":" — C2 domains and IPs in source code","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CI/CD misconfigurations","type":"text","marks":[{"type":"strong"}]},{"text":" — unpinned actions, dangerous triggers, exposed secrets","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Credential exposure","type":"text","marks":[{"type":"strong"}]},{"text":" — npm tokens, PyPI credentials, .env files","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Interpret Results","type":"text"}]},{"type":"paragraph","content":[{"text":"Scanners exit with the number of issues found (0 = clean). Issues are categorized:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"[CRITICAL]","type":"text","marks":[{"type":"strong"}]},{"text":" — Known malicious package or active IOC detected. Immediate action required.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"[WARNING]","type":"text","marks":[{"type":"strong"}]},{"text":" — Security concern that needs investigation. May not be an active compromise.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Remediate","type":"text"}]},{"type":"paragraph","content":[{"text":"Based on findings, guide the user through remediation:","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"If a compromised package is found:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Remove or downgrade to a known safe version immediately","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Clear package caches: ","type":"text"},{"text":"npm cache clean --force","type":"text","marks":[{"type":"code_inline"}]},{"text":" / ","type":"text"},{"text":"pip cache purge","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Delete ","type":"text"},{"text":"node_modules","type":"text","marks":[{"type":"code_inline"}]},{"text":" / ","type":"text"},{"text":".venv","type":"text","marks":[{"type":"code_inline"}]},{"text":" and reinstall from lockfile","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Rotate ALL credentials that were accessible from the environment","type":"text"}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"If filesystem IOCs are found:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"The system should be treated as ","type":"text"},{"text":"fully compromised","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify and remove persistence mechanisms (systemd services, .pth files, cron jobs)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Rotate every credential on the system","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Audit cloud provider logs (AWS CloudTrail, GCP Audit Logs, Azure Activity Log)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check for lateral movement in Kubernetes clusters","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Consider reimaging the machine","type":"text"}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"If CI/CD issues are found:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pin all GitHub Actions to full commit SHAs (not version tags)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Add ","type":"text"},{"text":"--ignore-scripts","type":"text","marks":[{"type":"code_inline"}]},{"text":" to npm install/ci commands","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Add ","type":"text"},{"text":"--require-hashes","type":"text","marks":[{"type":"code_inline"}]},{"text":" to pip install commands","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Remove or secure ","type":"text"},{"text":"pull_request_target","type":"text","marks":[{"type":"code_inline"}]},{"text":" triggers","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Apply least-privilege permissions to workflow tokens","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Audit pipeline execution logs for the attack window periods","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Harden the Project","type":"text"}]},{"type":"paragraph","content":[{"text":"After remediation, recommend these preventive measures:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Lock everything","type":"text","marks":[{"type":"strong"}]},{"text":": Exact version pins + lockfiles committed to repo","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Hash-verify","type":"text","marks":[{"type":"strong"}]},{"text":": Use ","type":"text"},{"text":"npm ci","type":"text","marks":[{"type":"code_inline"}]},{"text":" (not ","type":"text"},{"text":"npm install","type":"text","marks":[{"type":"code_inline"}]},{"text":"), ","type":"text"},{"text":"pip install --require-hashes","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Disable scripts","type":"text","marks":[{"type":"strong"}]},{"text":": Use ","type":"text"},{"text":"--ignore-scripts","type":"text","marks":[{"type":"code_inline"}]},{"text":" by default, enable only for trusted packages","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pin actions","type":"text","marks":[{"type":"strong"}]},{"text":": All GitHub Actions pinned to full SHA, never tags","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Scope tokens","type":"text","marks":[{"type":"strong"}]},{"text":": CI/CD tokens should have minimal permissions","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Monitor","type":"text","marks":[{"type":"strong"}]},{"text":": Set up automated dependency scanning (but verify the scanner itself is not compromised — see Trivy incident)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network controls","type":"text","marks":[{"type":"strong"}]},{"text":": Block known C2 domains/IPs at firewall level","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Audit regularly","type":"text","marks":[{"type":"strong"}]},{"text":": Run this scanner before every deployment","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Reference Files","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/ioc-database.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" — Full IOC database with all compromised packages, malicious versions, C2 infrastructure, filesystem indicators, and attack timelines. Read this file for detailed intelligence on specific attacks.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Current Threat Landscape (as of 2026-03-31)","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Active Campaign: TeamPCP (CRITICAL)","type":"text"}]},{"type":"paragraph","content":[{"text":"The most significant active threat. TeamPCP is executing a cascading credential-chain campaign:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Compromised Trivy (security scanner) → stole CI/CD secrets from thousands of pipelines","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Used stolen npm tokens to deploy CanisterWorm across 141+ npm packages","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Used stolen PyPI tokens to backdoor LiteLLM (95M monthly downloads) and Telnyx","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Uses blockchain (ICP) for C2, making takedown impossible","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deploys WAV steganography for payload delivery","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Targets Kubernetes for lateral movement","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Has a destructive variant that wipes Iranian systems","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Active: axios npm Hijack (2026-03-31)","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"[email protected] and [email protected] contain RAT dropper via fake ","type":"text"},{"text":"plain-crypto-js","type":"text","marks":[{"type":"code_inline"}]},{"text":" dependency","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"300M+ weekly downloads makes this extremely high-impact","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cross-platform RAT for macOS, Windows, and Linux","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Compromised maintainer account (jasonsaayman)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Recent: Malicious Rust Crates (2026-02/03)","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"5 crates impersonating time utilities on crates.io","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Steal .env files, AWS credentials, SSH keys","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"First significant supply chain attack targeting Rust ecosystem","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Historical but Relevant: Shai-Hulud Worm","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Self-replicating npm worm that compromised ~1000 packages","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Targets npm tokens for self-propagation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Destructive fallback: wipes home directory if exfiltration fails","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Updating the IOC Database","type":"text"}]},{"type":"paragraph","content":[{"text":"When new supply chain attacks are reported:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Search for the latest advisories from Socket, Aikido, Endor Labs, Snyk, JFrog","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Update ","type":"text"},{"text":"references/ioc-database.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" with new packages, versions, domains, IPs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Update the scanner scripts with new package entries in the MALICIOUS_* arrays","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Update the ","type":"text"},{"text":"ioc-db-date","type":"text","marks":[{"type":"code_inline"}]},{"text":" in the SKILL.md frontmatter","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"supply-chain-guard","author":"@skillopedia","source":{"stars":27714,"repo_name":"claude-code-templates","origin_url":"https://github.com/davila7/claude-code-templates/blob/HEAD/cli-tool/components/skills/security/supply-chain-guard/SKILL.md","repo_owner":"davila7","body_sha256":"d4b5bf66b28a26580c5c91d8d949babe1d1e6fa4282256396ab5d995a38c4d02","cluster_key":"bac4e1911c79a38e6640d948a5548fd1cfe6694fe603221cdedd4a1f1def495b","clean_bundle":{"format":"clean-skill-bundle-v1","source":"davila7/claude-code-templates/cli-tool/components/skills/security/supply-chain-guard/SKILL.md","attachments":[{"id":"e33b5ab3-d2e2-57e1-b321-9be5b4b82fb4","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/e33b5ab3-d2e2-57e1-b321-9be5b4b82fb4/attachment.md","path":"references/ioc-database.md","size":5750,"sha256":"d4e358017c6497120f4bd96cc2f387beff41a01836551c7d001fa298f76c2ea2","contentType":"text/markdown; charset=utf-8"},{"id":"801b6ed0-0fee-5d9d-91ee-186df7b86e0b","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/801b6ed0-0fee-5d9d-91ee-186df7b86e0b/attachment.sh","path":"scripts/scan-all.sh","size":4618,"sha256":"a5779ed1e8d021ae52adcb24fec43a751256c62525a2b13acc65199510d43627","contentType":"application/x-sh; charset=utf-8"},{"id":"9f47280a-fd9d-5274-8690-1e4f7db2c4bd","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/9f47280a-fd9d-5274-8690-1e4f7db2c4bd/attachment.sh","path":"scripts/scan-ci.sh","size":10341,"sha256":"6ec578462aeafd52adb091a97221a4c0ffda25df048d7503650a271273fcdf16","contentType":"application/x-sh; charset=utf-8"},{"id":"cdf00b15-066a-54b2-b2dd-41d11db5ae8f","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/cdf00b15-066a-54b2-b2dd-41d11db5ae8f/attachment.sh","path":"scripts/scan-npm.sh","size":12451,"sha256":"6bb1c2e7202b22c2f43a273fc16edb56ed2a3b0e3c9d2e5187c864c329a2483c","contentType":"application/x-sh; charset=utf-8"},{"id":"2b03aafa-c1e8-54cf-b3fc-c4ae8e6c2693","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/2b03aafa-c1e8-54cf-b3fc-c4ae8e6c2693/attachment.sh","path":"scripts/scan-python.sh","size":10835,"sha256":"65717a268f6bb7db96974360201274e7af398932f7641a3d65397a1029080edf","contentType":"application/x-sh; charset=utf-8"}],"bundle_sha256":"5fbace3586bc0e24e095d645c74c26ddf8e215dae6a114bc30a841215402e446","attachment_count":5,"text_attachments":5,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"cli-tool/components/skills/security/supply-chain-guard/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"devops-infrastructure","category_label":"DevOps"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"devops-infrastructure","metadata":{"author":"dan-avila","version":"1.0","ioc-db-date":"2026-03-31"},"import_tag":"clean-skills-v1","description":"Detect and remediate software supply chain attacks in npm, PyPI, crates.io, GitHub Actions, and CI/CD pipelines by scanning for known compromised packages, malicious versions, filesystem IOCs, C2 indicators, and CI/CD misconfigurations."}},"renderedAt":1782981420748}

Supply Chain Guard Automated detection and remediation of software supply chain attacks across npm, PyPI, crates.io, GitHub Actions, and CI/CD pipelines. Built from real-world attack intelligence gathered through March 31, 2026. When to Use This Skill Use this skill when: - The user asks to audit a project's dependencies for security issues - Before deploying code to production - When investigating a potential supply chain compromise - When the user mentions a recent supply chain attack and wants to check their projects - As a regular security check in development workflows - When setting up…