The .csv file in this repository represents the work by IQT Labs to identify and create a living (though not breathing) dataset of publicly reported software supply chain compromises. Dan Geer, Bentz Tozer, and John Speed Meyers used this dataset for an article analyzing software supply chain compromises. (See the citation below.)

We want and need help to maintain this dataset. Please help us maintain it by submitting pull requests to identify mistakes we made (we're all too human) either of commission or by omission. Importantly, this dataset will quickly go out of date unless new attacks are added.

If you are interested in software supply chain security, we recommend recent research and initiatives such as:

Software Bill of Materials effort, National Telecommunications and Information Administration, link.

Trey Herr, William Loomis, Stewart Scott, June Lee, "Breaking Trust: Shades of Crisis across an Insecure Software Supply Chain," The Atlantic Council, 2020, link.

OpenSSF, Open Source Security Foundation, a Linux Foundation project, link.

Marc Ohm, Backstabber's Knife Collection, an open source malware research repository, link.

In-toto Project, Software Supply Chain Compromises, New York University Secure Systems Lab, https://github.com/in-toto/supply-chain-compromises.

You can find IQT Lab's own public research on software supply chain security below:

Dan Geer, Bentz Tozer, and John Speed Meyers, "Counting Broken Links: A Quant's View of Software Supply Chain Security," USENIX ;login:, December 2020. Link

John Speed Meyers and Bentz Tozer, "pypi-scan: A Tool for Scanning the Python Package Index for Typosquatters," IQT Blog, October 16, 2020. Link, GitHub repo.

John Speed Meyers and Bentz Tozer, "Bewear: Python Typosquatting is About More than Typos," IQT Blog, September 30, 2020. Link.