For roughly a decade, "supply-chain security" in software meant SBOMs for shipped binaries, signed releases and vulnerability scanning of production dependencies. The implicit assumption was that the threat was in the deployed system. The 2026 wave of reporting has made that assumption obsolete.
In the last week of June 2026, **The Hacker News** documented a clustered set of incidents that fit a single pattern: **the attack target is the build pipeline, not the production system**. The reporting covered **compromised npm packages including LeoPlatform and RStreams**, an active campaign **abusing GitHub Actions workflows** as a foothold inside private repositories, and the **compromise of a Go module belonging to the Verana Blockchain project**. In parallel, **CISA added CVE-2026-12569 — a CVSS 9.3 unauthenticated remote code execution vulnerability in PTC Windchill PDMLink/FlexPLM — to its Known Exploited Vulnerabilities catalog on 26 June 2026**, with confirmed active exploitation in the wild.
None of these incidents is the production system being attacked at runtime. Every one of them is **the upstream system that produces software being attacked**. A malicious npm package executes inside \
Because the production-centric defenses — WAF, EDR, SIEM, MFA — do not see what happens on a CI runner during npm install or in a GitHub Actions workflow. The attacker who compromises a build inherits the deployment pipeline, the secrets and the artefact signature. The June 2026 incidents on npm (LeoPlatform, RStreams), GitHub Actions and the Verana Go module all share this pattern.
An SBOM is necessary but not sufficient. It answers "what is in the build" — which lets you respond to a CVE like CVE-2026-12569 added to the CISA KEV on 26 June 2026 in minutes rather than days. It does not, by itself, prevent a malicious dependency from entering. SBOM, dependency pinning, provenance review, hardened CI and signed artefacts work together.
Pin every third-party action to a commit SHA, not to a mutable tag. Require code review on workflow-file changes. Scope secrets per-environment, not shared. Move long-lived API keys to short-lived OIDC-issued credentials wherever the cloud provider supports it.
A non-negotiable SDLC clause covering SBOM on every release, lockfile-pinned dependencies, hardened CI, secrets management with rotation, mandatory peer review, SAST/DAST/SCA gates, KEV-feed monitoring with SLA, signed artefacts and an indemnity for supply-chain incidents the supplier introduces. If the supplier cannot agree to these, you are buying hours, not secure code.
Yes. CISA KEV is the most authoritative public feed of vulnerabilities with confirmed active exploitation. The 26 June 2026 addition of CVE-2026-12569 (PTC Windchill PDMLink/FlexPLM, CVSS 9.3) is a current example. It is jurisdiction-agnostic intelligence about which CVEs attackers are actually using right now.
Continuously, on a triggered basis. When a new CVE lands in CISA KEV or in a major vendor feed, the SCA tool should automatically re-evaluate the last several months of builds and flag any historical artefact that contains the affected component, regardless of whether it is still in production.
By default. The ten controls listed in this article are part of how our Morocco engineering pods are trained and how every engagement is set up, on the same loaded rate. The contractual checklist exists because we have answered it ourselves.
CALL IT DEV — Software, AI and dedicated tech teams — Casablanca | Madrid | Dubai — contact@callitdev.com — +212-537-373777