Roni Carta: From Bug Bounties to Building a Safer Supply Chain

This article profiles a bug-bounty hunter who uncovered repeating software supply-chain weaknesses across major organizations, and uses several high-impact examples — malicious npm packages shipping obfuscated malware, the GhostAction campaign that exfiltrated thousands of GitHub secrets, and a third-party compromise that facilitated a $1.5 billion crypto rerouting — to argue that third-party components are a systemic security risk.