Supply chain attacks are having a moment. Open-source malware detections jumped 73% in 2025. In the past year, the debug and chalk packages were backdoored, the tj-actions GitHub Action was compromised and pulled malicious code into thousands of pipelines, and the axios maintainer account was hijacked and used to distribute a RAT. Malicious releases also hit Zapier, ENS Domains, PostHog, and Bitwarden CLI.
Every one of these attacks was preventable with controls that were available at the time. The attackers' techniques worked because most teams weren't running the right defenses at the install layer, in their pipelines, or on their developer machines.
This checklist walks through what those defenses look like. For the engineering teams that want to get ahead of supply chain attacks, this is for you.
TL;DR
The supply chain security checklist is a practical, prioritized set of tasks for hardening your stack against the current generation of supply chain attacks, graded critical, high, or medium so you know where to focus first. It covers dependency management, access and identity controls, CI/CD hardening, container security, developer environment lockdown, your agentic toolchain, and monitoring and response.
What's inside
The checklist follows the same attack surfaces the incidents above exploited. Each item names the attack it defends against, points to a concrete configuration change or tool, and stays grounded in what a working engineer actually has authority to change. While it's aimed at engineering teams, security leads, platform engineers, and anyone who owns part of the SDLC will find sections directly relevant to what they ship.
We've pulled out a few items below to give you a sense of what's inside.
Enforce a package age policy before anything installs
The pattern across many of the recent big attacks like axios, chalk and debug, and Mastra is that malicious releases of trusted packages started executing within hours of publication. Install-time controls are what buy your team the delay window to catch it.

Pin pipeline dependencies to commit SHAs
Third-party actions are code your pipeline trusts by default. When you reference them by tag, that trust extends to whoever controls the tag, and tags can be moved.

Treat MCP servers as third-party dependencies
Agentic tooling is at the forefront of attacker experimentation. MCP servers sit at a particularly high-trust point in the stack, with broad permissions and direct access to the data agents handle on your behalf.

Guard against prompt injection in AI-powered pipelines
Adding an AI agent to a CI pipeline expands what counts as risky input. Content that used to flow harmlessly through a workflow, like an issue title or a PR description, becomes an executable instruction the moment an agent reads it into a prompt. That's a bigger surface than most teams have modeled for.

Capture audit logs for registry pushes, CI runs, and token usage
Multiple compromises this year didn't show up in standard authentication logs at all. Attackers operated from live sessions with valid credentials, and the only meaningful signal came from audit logs of what those sessions actually did.

Download the supply chain attacks checklist
Those are five items out of thirty. The full checklist walks through pinning and lockfile enforcement, scoped tokens and phishing-resistant MFA, container image hardening, IDE extension and browser plugin controls, agent permission scoping, and incident response playbooks for when something does get through.

Fill out the short form below to download the supply chain attacks checklist and start working through it before the next package shows up in your dependency graph.
<script type="application/ld+json">
{
"@context": "https://schema.org",
"@graph": [
{
"@type": "TechArticle",
"@id": "https://www.aikido.dev/blog/supply-chain-attacks-checklist#article",
"headline": "The practical checklist for defending against supply chain attacks",
"description": "A practical checklist for engineering teams to defend against maintainer takeovers, poisoned actions, and malicious releases. Thirty prioritized practices graded by criticality.",
"url": "https://www.aikido.dev/blog/supply-chain-attacks-checklist",
"datePublished": "2026-07-14",
"dateModified": "2026-07-14",
"inLanguage": "en-US",
"mainEntityOfPage": {
"@type": "WebPage",
"@id": "https://www.aikido.dev/blog/supply-chain-attacks-checklist"
},
"author": {
"@id": "https://www.aikido.dev/authors/nicholas-thomson#person"
},
"publisher": {
"@id": "https://www.aikido.dev#organization"
},
"image": {
"@type": "ImageObject",
"url": "https://www.aikido.dev/blog/supply-chain-attacks-checklist/og-image.png",
"width": 1200,
"height": 630
},
"keywords": [
"supply chain attacks",
"software supply chain security",
"npm supply chain attack",
"maintainer account takeover",
"package age policy",
"commit SHA pinning",
"GitHub Actions security",
"CI/CD security",
"MCP server security",
"prompt injection",
"phishing-resistant MFA",
"FIDO2",
"audit logging",
"malicious npm packages",
"postinstall hooks",
"dependency confusion",
"typosquatting",
"Aikido Intel",
"Aikido Safe Chain",
"developer machine security"
],
"about": [
{"@type": "Thing", "name": "Software Supply Chain Security"},
{"@type": "Thing", "name": "Open Source Security"},
{"@type": "Thing", "name": "CI/CD Pipeline Security"},
{"@type": "Thing", "name": "npm Security"},
{"@type": "Thing", "name": "Agentic AI Security"}
],
"mentions": [
{"@type": "SoftwareApplication", "name": "axios", "applicationCategory": "npm package"},
{"@type": "SoftwareApplication", "name": "chalk", "applicationCategory": "npm package"},
{"@type": "SoftwareApplication", "name": "debug", "applicationCategory": "npm package"},
{"@type": "SoftwareApplication", "name": "tj-actions/changed-files", "applicationCategory": "GitHub Action"},
{"@type": "SoftwareApplication", "name": "Mastra", "applicationCategory": "npm package"},
{"@type": "SoftwareApplication", "name": "postmark-mcp", "applicationCategory": "MCP server"},
{"@type": "SoftwareApplication", "name": "Bitwarden CLI", "applicationCategory": "CLI tool"},
{"@type": "SoftwareApplication", "name": "Aikido Intel", "url": "https://intel.aikido.dev/"},
{"@type": "SoftwareApplication", "name": "Aikido Safe Chain", "url": "https://www.aikido.dev/protect/safe-chain"},
{"@type": "SoftwareApplication", "name": "Aikido Device Protection", "url": "https://www.aikido.dev/protect/device-protection"},
{"@type": "SoftwareApplication", "name": "Aikido Libraries", "url": "https://help.aikido.dev/autofix-and-remediation/aikido-libraries-overview"},
{"@type": "SoftwareApplication", "name": "Aikido Images", "url": "https://www.aikido.dev/cloud/hardened-images"},
{"@type": "Thing", "name": "Shai-Hulud campaign"},
{"@type": "Thing", "name": "PromptPwnd"},
{"@type": "Thing", "name": "Model Context Protocol (MCP)"},
{"@type": "Thing", "name": "FIDO2"},
{"@type": "Thing", "name": "Passkeys"},
{"@type": "Thing", "name": "OIDC"},
{"@type": "Thing", "name": "SBOM"},
{"@type": "Thing", "name": "CVE-2025-30066"}
],
"articleSection": [
"Dependency management",
"Access and identity controls",
"CI/CD hardening",
"Container security",
"Developer environments",
"Agentic toolchain",
"Monitoring and response"
],
"speakable": {
"@type": "SpeakableSpecification",
"cssSelector": ["h1", "h2", ".tldr"]
},
"timeRequired": "PT8M",
"isAccessibleForFree": true,
"citation": [
{
"@type": "CreativeWork",
"name": "ReversingLabs Software Supply Chain Security Report 2026",
"url": "https://www.reversinglabs.com/blog/sscs-report-2026-guidance-timeline"
},
{
"@type": "CreativeWork",
"name": "npm debug and chalk packages compromised",
"url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised"
},
{
"@type": "CreativeWork",
"name": "tj-actions/changed-files supply chain attack",
"url": "https://www.aikido.dev/blog/get-the-tl-dr-tj-actions-changed-files-supply-chain-attack"
},
{
"@type": "CreativeWork",
"name": "axios npm compromised: maintainer hijacked with RAT",
"url": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat"
},
{
"@type": "CreativeWork",
"name": "Shai-Hulud strikes again: hitting Zapier, ENS Domains, PostHog",
"url": "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains"
},
{
"@type": "CreativeWork",
"name": "Shai-Hulud npm Bitwarden CLI compromise",
"url": "https://www.aikido.dev/blog/shai-hulud-npm-bitwarden-cli-compromise"
}
]
},
{
"@type": "WebPage",
"@id": "https://www.aikido.dev/blog/supply-chain-attacks-checklist",
"url": "https://www.aikido.dev/blog/supply-chain-attacks-checklist",
"name": "The practical checklist for defending against supply chain attacks",
"description": "A practical checklist for engineering teams to defend against maintainer takeovers, poisoned actions, and malicious releases.",
"inLanguage": "en-US",
"isPartOf": {
"@id": "https://www.aikido.dev#website"
},
"primaryImageOfPage": {
"@type": "ImageObject",
"url": "https://www.aikido.dev/blog/supply-chain-attacks-checklist/og-image.png"
},
"breadcrumb": {
"@id": "https://www.aikido.dev/blog/supply-chain-attacks-checklist#breadcrumb"
},
"about": {"@id": "https://www.aikido.dev/blog/supply-chain-attacks-checklist#article"}
},
{
"@type": "BreadcrumbList",
"@id": "https://www.aikido.dev/blog/supply-chain-attacks-checklist#breadcrumb",
"itemListElement": [
{
"@type": "ListItem",
"position": 1,
"name": "Home",
"item": "https://www.aikido.dev"
},
{
"@type": "ListItem",
"position": 2,
"name": "Blog",
"item": "https://www.aikido.dev/blog"
},
{
"@type": "ListItem",
"position": 3,
"name": "Guides & Best Practices",
"item": "https://www.aikido.dev/category/guides-best-practices"
},
{
"@type": "ListItem",
"position": 4,
"name": "The practical checklist for defending against supply chain attacks",
"item": "https://www.aikido.dev/blog/supply-chain-attacks-checklist"
}
]
},
{
"@type": "ItemList",
"@id": "https://www.aikido.dev/blog/supply-chain-attacks-checklist#itemlist",
"name": "Featured checklist items",
"itemListOrder": "https://schema.org/ItemListOrderAscending",
"numberOfItems": 5,
"itemListElement": [
{
"@type": "ListItem",
"position": 1,
"name": "Enforce a package age policy before anything installs",
"description": "A 48-hour minimum age policy blocks same-day typosquatting and fast-moving malware campaigns before they reach your developers."
},
{
"@type": "ListItem",
"position": 2,
"name": "Pin pipeline dependencies to commit SHAs",
"description": "Third-party actions are code your pipeline trusts by default. Pin every action to an immutable commit SHA rather than a mutable tag."
},
{
"@type": "ListItem",
"position": 3,
"name": "Treat MCP servers as third-party dependencies",
"description": "MCP servers carry the same supply chain risks as any other dependency. Pin them, verify the publisher, and scope their permissions."
},
{
"@type": "ListItem",
"position": 4,
"name": "Guard against prompt injection in AI-powered pipelines",
"description": "As AI agents gain elevated access to CI pipelines, prompt injection becomes a live attack surface for anyone who can open a PR."
},
{
"@type": "ListItem",
"position": 5,
"name": "Capture audit logs for registry pushes, CI runs, and token usage",
"description": "Audit logs give you the timeline to reconstruct what happened, confirm the blast radius, and decide what to rotate."
}
]
},
{
"@type": "Person",
"@id": "https://www.aikido.dev/authors/nicholas-thomson#person",
"name": "Nicholas Thomson",
"jobTitle": "Senior SEO & Growth Lead",
"url": "https://www.aikido.dev/authors/nicholas-thomson",
"worksFor": {
"@id": "https://www.aikido.dev#organization"
},
"sameAs": [
"https://www.linkedin.com/",
"https://x.com/"
]
},
{
"@type": "Organization",
"@id": "https://www.aikido.dev#organization",
"name": "Aikido Security",
"url": "https://www.aikido.dev",
"logo": {
"@type": "ImageObject",
"url": "https://www.aikido.dev/logo.png"
},
"sameAs": [
"https://www.linkedin.com/company/aikido-security/",
"https://x.com/AikidoSecurity",
"https://www.youtube.com/@aikidosecurity"
]
},
{
"@type": "WebSite",
"@id": "https://www.aikido.dev#website",
"url": "https://www.aikido.dev",
"name": "Aikido Security",
"publisher": {
"@id": "https://www.aikido.dev#organization"
},
"inLanguage": "en-US"
}
]
}
</script>

