November 2024 in Software Supply Chain Security

In November 2024 supply-chain attacks highlighted attackers' 'legitimate-first' package strategies and creative abuse of official documentation: a year-long malicious NPM package combined crypto-mining and data theft affecting dozens of systems, an NPM package mirrored a React Native documentation example to trick developers, and the aiocpa PyPI package was weaponized to steal cryptocurrency credentials via Telegram after months of legitimate use; the report also notes improvements against StarJacking in some repositories but warns that the risk remains and urges continued vigilance in package verification and ecosystem defenses.