Software supply chain attacks have become alarmingly more prominent over the past years. Successful exploits have changed the economics adversaries use and it has even changed potential victims. Increasingly, developer tools have become the target of these attacks with adversaries targeting git repositories, package managers and CI/CD pipelines.

This presentation will focus on exactly how adversaries target developers to disrupt the build process of the software supply chain. To do this we examine recent examples of how adversaries successfully abused these tools and recreate the attack with demos. This will include how to target developer accounts, how to abuse common misconfigurations to elevate privileges, how an abuser can remain hidden and how attackers can inject malicious packages into your build cycle. 

In addition, we will also review exactly what supply chain attacks are and how they have changed the attack landscape. Including how the economics for adversaries have been reimagined following prominent supply chain attacks and how this has affected who the end victims could be. Finally, we will review security measures that can be immediately implemented to harden key weaknesses in code repositories and CI/CD pipelines and how you can detect an attack during the early reconnaissance stages. The goal of this presentation will be to not only show adversarial trends but also arm the audience with a few key defensive takeaways that are aimed specifically at developers