“The software supply chain is no longer just about dependencies,” he said, but rather, its toolchains, marketplaces, and the entire development ecosystem. “You’ve got to treat developer infrastructure like production infrastructure.”
Developers and security teams should key into critical signals: malicious extensions containing invisible Unicode characters being uploaded; hidden C2 channels using blockchain memos and legitimate services like Google Calendar to evade takedowns; and infected developer machines being used as proxy nodes to launch further infections.
Companies should reduce attack surfaces by only allowing components from trusted publishers, disabling auto‑updates where possible, and maintaining an inventory of installed extensions, Seker advised, as well as monitoring for abnormal outbound connections from workstations, credential harvesting activity for developer‑level tokens (npm, GitHub, VS Code), and proxy or VNC server creation. Further, security teams should apply the “same rigor” they use for third-party libraries to their own developer toolchains.
