UK calls for stronger open source supply chain security practices

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: The UK government is calling for organizations to bolster their open-source software security practices as a result of several weaknesses found. Also: The North Korea-aligned Lazarus Group has launched a new malicious campaign on npm.??

This Week’s Top Story

UK calls for stronger open source supply chain security practices

The United Kingdom’s Department for Science, Innovation & Technology (DSIT) recently published a report titled, “Open source software best practice and supply chain risk management” (PDF). The report outlines current weaknesses that exist in modern open-source software (OSS) security practices, and makes several recommendations for organizations looking to secure their software supply chains as a result.?

One of the main weaknesses outlined is the lack of industry-specific practices for the secure use of OSS. The report’s authors shared that “outside highly regulated industries, there is a lack of guidance on how to manage OSS components in specific industries, such as education.” This lack of standardization also hurts smaller companies, because the limited standards that do exist for OSS do not reflect these organizations’ limited resources.?

DSIT said additional weaknesses include a lack of consensus on how to best manage OSS components and a formal process for judging the trustworthiness of these components, and the outsized influence of large tech companies’ plentiful resources on the OSS ecosphere.?

“We found that each developer uses their own trust model and that there is no documented process for evaluating the trustworthiness of OSS components within an organization.” –UK DSIT

In analyzing these weaknesses, DSIT’s report shares the following recommendations for organizations connected to software supply chains:

• Policy: All organizations should establish an internal OSS policy that details the criteria for evaluating the trustworthiness and maturity of OSS components.?
• SBOM: Companies should develop a software bill of materials (SBOM) for their own software products, which likely include OSS components.?
• Continuous monitoring: Teams should continuously monitor the software supply chain for vulnerabilities, licensing issues, and new versions of OSS components.?
• Community engagement: Organizations that contribute to and depend on OSS should engage with the greater OSS community by participating in various activities and events, and provide financial support to essential projects.
• Use tooling: Teams can rely on the right tooling to automate the process of managing OSS components, enforcing policies, continuous monitoring and SBOM generation.?

(Security Week)

This Week’s Headlines

Lazarus group hid backdoor in fake npm packages

The notorious Lazarus Group has struck once again – now in the form of sneaking malicious code onto npm. Researchers at Socket have identified six packages as a part of the campaign, which have already been downloaded 330 times. The packages are designed to infiltrate developers’ computers, swipe login details, steal cryptocurrency information, and even install a backdoor for long-term access. Lazarus typosquatted all six packages to look like legitimate ones, in an effort to trick developers into downloading them. Attackers also set up fake GitHub pages for some of the packages in an attempt to make them seem trustworthy. This new campaign is just one of many conducted by the North Korea-aligned hacking group, which often targets OSS. (Hackread)

A supply chain attack journey: npm run hack:me

Freelance developer rxj.dev, known as Ron X Jansen on X, wrote about a situation where he thought he was being recruited to work on a Web3 project — but, instead, he was hacked, giving his attackers user-level permissions to his system. The attacker posed as a recruiter, and asked him before a scheduled interview to perform a few preliminary development tasks that resided on OSS. Jansen ran npm install and npm run start as a part of the tasks, and only later found that in the process he ran process-log, a package with obfuscated code that served up malware. (rxj.dev)

Meta warns of worrying security flaw hitting OSS

Meta is currently warning the community about an out-of-bounds write vulnerability in FreeType, an OSS library that renders fonts and is widely used in graphics applications, game engines and operating systems to display high-quality text. Major projects such as Android, Linux, Unreal Engine and ChromeOS rely on FreeType for font rendering. The vulnerability, tracked as CVE-2025-27363 and has a severity score of 8.1 (high), could allow threat actors to remotely execute arbitrary code (RCE) in versions 2.13.0 and older. Meta believes that the vulnerability “may have been exploited in the wild,” and can be triggered “when attempting to parse font subglyph structures related to TrueType GX and variable font files.” (TechRadar Pro)

55% of organizations lack strategies for AI-driven cyber threats

Mimecast surveyed 1,100 IT security professionals and found that 55% of organizations lack dedicated strategies to address AI-driven cyber threats. Additionally, the report shows that 95% of organizations currently use AI for threat detection, endpoint protection, and insider risk analysis. However, 81% of these same companies worry about data leaks from generative AI (GenAI) tools, and 46% of them are also not confident in their ability to defend against AI-powered phishing and deepfake threats. (Tech Monitor)

For more insights on software supply chain security, see the RL Blog.?

The Best of RL

Report | The 2025 Software Supply Chain Security Report

ReversingLabs’ third annual report on the state of software supply chain security is here! The report analyzes findings from RL’s threat research team this past year, as well as the emerging attack trends targeting AI, crypto, open-source and commercial software. [Read Now]?

Webinar | The Year In Supply Chain Risk: Expert Roundtable

Thursday, March 27 at 11am ET

If you have pressing questions about the state of software supply chain risk, save your seat for this upcoming roundtable discussion. RL’s director of editorial and content Paul F. Roberts will be joined by RL chief software architect and co-founder Tomislav Peri?in , as well as Aquia CEO Chris H. . [Save Your Seat]?

Webinar | Securing JFrog Artifactory with RL Spectra Assure

Wednesday, March 20 at 12pm ET

How can software producers ensure that components, builds, and releases from multiple development pipelines and supply chains are safe? Join this webinar to see how the RL Spectra Assure integration with JFrog Artifactory ensures you are building with safe components and the builds being created are safe to ship. [Save Your Seat]?

For great conversations to watch, see RL’s on-demand webinar library.