Silk Typhoon targeting the IT supply chain

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: Chinese threat actor Silk Typhoon is exploiting unpatched applications to abuse stolen API keys and credentials to pull off supply chain attacks. Also: Seven malicious Go packages have been found deploying malware on Linux and macOS systems.

This Week’s Top Story

Silk Typhoon targeting the IT supply chain?

This week, researchers from Microsoft Security are warning about a new shift in tactics being used by Silk Typhoon (aka Hafnium), a Chinese espionage group, in which they are now targeting common IT solutions like remote management tools and cloud applications to gain initial access. Researchers stress that while Silk Typhoon hasn’t directly targeted Microsoft cloud services specifically, they have found evidence that the attackers have been exploiting unpatched applications, allowing them to use stolen keys and credentials to propel further malicious activity.?

During their tracking initiatives of the threat actor, researchers discovered Salt Typhoon abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies. This allowed the threat actor to then access these companies’ downstream customer environments – showcasing evidence of a multi-pronged software supply chain attack. So far, Microsoft believes that the victims include entities in state and local government, as well as the IT sector.?

By leveraging access from the API keys, researchers assert that Salt Typhoon performed reconnaissance and data collection on targeted devices via an admin account. It’s believed that the data targeted is likely information that overlaps with China-based interests, U.S. government policy and administration, plus legal process and documents related to law enforcement investigations. The threat actor also abused this access by resetting default admin accounts via API key, web shell implants, creating of additional users, and clearing logs of actor-performed actions.

Researchers also observed Salt Typhoon gaining initial access using password abuse techniques including discovering passwords through reconnaissance. Attackers leveraged leaked corporate passwords on public repositories like GitHub, and gained authentication to a corporate account to carry out malicious activities.?

Researchers assert that Silk Typhoon is a well-resourced and technically efficient group, which has targeted a wide range of sectors and geographic regions since as early as 2020.?

(Microsoft Security)

This Week’s Headlines

Go packages found deploying malware on Linux and macOS

Researchers at Socket are alerting of an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules that are designed to deploy loader malware on Linux and macOS systems. The campaign consists of at least seven packages that impersonate widely used Go libraries, with one of them (github[.]com/shallowmulti/hypert) specifically targeting software developers in the financial sector, researchers said. The collection of packages share repeated malicious file names, and are consistent in utilizing obfuscation – a technique that is often associated with malicious activity. Attackers’ end goal is to have victims install and run an executable file that can potentially steal data or other sensitive credentials. (The Hacker News)

NK steps up cyberattacks on software supply chains

South Korea’s National Intelligence Service (NIS) shared in a press release this week that it recently detected North Korean (DPRK) threat actors employing “sophisticated techniques” to carry out supply chain attacks. Based on the NIS’s findings, they believe that these attackers are aiming to steal confidential information and core technologies from government agencies and tech companies. The NIS found that the North Korean threat actors are carrying out these attacks by breaching IT service providers to bypass government and enterprise security measures, exploiting software vulnerabilities, and taking advantage of security mismanagement. In response, the NIS is urging organizations to bolster their cybersecurity efforts. (The Readable)

Open-source security risks continue to rise

According to the 2025 Open Source Security and Risk Analysis report from Black Duck, 86% of commercial codebases contain vulnerabilities, with 81% harboring high-or-critical-risk vulnerabilities. The report also found that the average number of open-source files in applications has tripled over the past four years, surging from 5,300 in 2020 to 16,000 in 2024. Even more concerning: 90% of audited codebases contained open-source components that were over four years out of date – presenting a growing attack surface and a heightened amount of risk for organizations connected to software supply chains. (Information Security Buzz)

How to manage supply chain risks: Insights from security leaders

As a result of developers using more third-party software than ever before, software supply chain risks stemming from this use need to be addressed by enterprises. In this Information Week article, security leaders at major institutions are sharing key considerations for what risks enterprises should be paying attention to, as well as what mitigation strategies security and risk management teams should be prioritizing. Experts cited include Adam Ennamli , chief risk and security officer at General Bank of Canada, Jeremy Ventura , field CISO at Myriad360, and Joseph Leung , CTO and chief product officer at JAVLIN Invest. (Information Week)

For more insights on software supply chain security, see the RL Blog.?

The Best of RL

Webinar | 6 Critical Risks to Identify in your Software Supply Chain

Thursday, March 23 at 1pm ET

Gartner estimates the costs from software supply chain attacks will rise from $46B in 2023 to $138B by 2031. And while 66% of organizations are implementing or about to implement a software supply chain security initiative, they are not addressing key risks. In this webinar, we’ll explore the top six risks and how to identify them. [Save Your Seat]?

Blog | The top software development security challenges: The AI's have it

From the AppSec testing gap to data privacy, AI is increasing security worries. Here are key takeaways from a new survey of software development leaders. [Read Now]?

Blog | 7 container security best practices

With the rise of attacks on the supply chain and threats from AI, securing containers requires a modern strategy. Here are key considerations. [Read Now]

For great conversations to watch, see RL’s on-demand webinar library.