Safeguard.sh
Social Engineering

Email Security and Supply Chain Phishing Attacks

Phishing remains the top initial access vector for supply chain attacks. Targeted emails against developers, maintainers, and DevOps engineers open the door to code injection, credential theft, and pipeline compromise.

Alex
Security Analyst
6 min read

Phishing isn't new. But phishing targeted specifically at software supply chain participants -- developers, package maintainers, DevOps engineers, and security teams -- has become a precise and devastating attack category. The payoff for compromising a single open-source maintainer's account can dwarf traditional phishing targets.

Why Supply Chain Phishing Is Different

Traditional phishing targets end users to steal credentials or deliver malware. Supply chain phishing targets the people who build, maintain, and distribute software. The difference in impact is orders of magnitude.

Compromise a user account, and you get one victim. Compromise a package maintainer's account, and you get every downstream consumer of that package. That could be millions of applications.

The attackers know this. Supply chain phishing campaigns are increasingly sophisticated, targeted, and patient.

Attack Patterns

Package Maintainer Targeting

Open-source maintainers are high-value targets. Their npm, PyPI, or RubyGems credentials unlock the ability to publish malicious package versions to millions of consumers.

Attackers research maintainers on GitHub, find their email addresses (often publicly listed), and craft targeted phishing emails. Common pretexts include:

  • Fake security vulnerability reports requiring urgent action.
  • Impersonated registry emails about account verification.
  • Collaboration requests from seemingly legitimate organizations.
  • Fake job offers from well-known tech companies.

The npm account takeovers of 2022 demonstrated this pattern. Attackers sent phishing emails to maintainers of popular packages, captured their credentials, and used them to publish versions containing cryptocurrency-stealing code.

Developer Account Phishing

GitHub, GitLab, and Bitbucket accounts are targeted because they provide access to source code repositories. With repository access, attackers can:

  • Inject malicious code directly into projects.
  • Modify CI/CD configurations to exfiltrate secrets.
  • Create backdoored releases.
  • Modify build scripts to include malicious dependencies.

The GitHub OAuth phishing campaign of 2022 used fake Heroku and Travis CI notifications to steal GitHub OAuth tokens. The stolen tokens were used to access private repositories of dozens of organizations, including npm.

CI/CD Platform Phishing

Phishing emails targeting CI/CD credentials give attackers access to build pipelines, where they can:

  • Modify build scripts to inject malicious code.
  • Exfiltrate environment variables containing API keys and secrets.
  • Push compromised artifacts to registries.
  • Pivot to other systems accessible from the CI/CD environment.

Vendor Impersonation

Attackers impersonate software vendors, cloud providers, or security tools to target development teams:

  • Fake Dependabot alerts that link to credential-harvesting pages.
  • Impersonated cloud provider security warnings.
  • Fake vulnerability scanner reports that deliver malware.
  • Counterfeit vendor communications about license renewals.

Watering Hole via Email

Rather than directly phishing for credentials, some campaigns direct developers to compromised or malicious websites:

  • Fake Stack Overflow answers linked from email.
  • Malicious documentation sites.
  • Trojanized developer tools promoted via targeted emails.
  • Fake conference or meetup invitations that deliver payload.

The Kill Chain

A typical supply chain phishing attack follows this progression:

  1. Reconnaissance: Attacker identifies high-value targets by analyzing open-source projects, contributor lists, and maintainer profiles.
  2. Pretext development: Crafting a believable phishing email that's relevant to the target's role.
  3. Delivery: Sending the phishing email. Often from compromised legitimate accounts to bypass email security.
  4. Credential capture: Target enters credentials on a phishing page that mirrors the real login page.
  5. Access: Attacker uses captured credentials to access package registries, repositories, or CI/CD systems.
  6. Exploitation: Publishing malicious packages, injecting code, or exfiltrating secrets.
  7. Distribution: Malicious code propagates to downstream consumers through normal update mechanisms.

What Makes These Campaigns Effective

Legitimate Context

Supply chain phishing emails reference real projects, real vulnerabilities, and real tools. A fake GitHub security alert about a real CVE in a project the developer maintains is highly convincing.

Urgency

Security-related pretexts create urgency. "Critical vulnerability in your package" or "Your registry account will be suspended" push targets to act quickly without careful verification.

Technical Sophistication

These aren't Nigerian prince emails. They use proper technical terminology, reference real infrastructure, and the phishing pages are pixel-perfect replicas of legitimate login pages.

MFA Bypass

Modern supply chain phishing campaigns use real-time phishing proxies (tools like Evilginx2) that capture both credentials and MFA tokens, bypassing traditional multi-factor authentication.

Organizational Defenses

Phishing-Resistant Authentication

FIDO2/WebAuthn security keys are resistant to phishing because they're bound to the legitimate domain. Even if a developer enters their password on a phishing page, the security key won't authenticate to the wrong domain.

GitHub, GitLab, npm, and PyPI all support security keys. Make them mandatory for:

  • All package registry accounts.
  • Source code management accounts.
  • CI/CD platform accounts.
  • Cloud provider accounts.

Email Security Infrastructure

Deploy robust email security:

  • DMARC, DKIM, and SPF: Prevent email spoofing of your domain and verify sender authenticity.
  • Advanced threat protection: Use email security that analyzes links, attachments, and sender behavior.
  • Warning banners: Flag external emails, especially those that appear to come from internal domains.
  • Link rewriting: Rewrite URLs to pass through a security proxy that checks for phishing.

Security Awareness Training

Generic phishing training isn't enough. Developers need training specific to supply chain phishing:

  • Recognizing fake registry notifications.
  • Verifying GitHub security alerts through the platform, not email links.
  • Understanding OAuth permission requests.
  • Reporting suspicious emails from "collaborators" or "users" of their packages.

Account Monitoring

Monitor for signs of compromised accounts:

  • Unusual login locations or times.
  • New package versions published outside normal patterns.
  • Repository access from unexpected IP addresses.
  • CI/CD configuration changes by accounts that don't normally modify them.

Separate Credentials

Use different credentials for:

  • Package registry accounts.
  • Source code management.
  • CI/CD platforms.
  • Email accounts.

Credential separation limits the blast radius when one account is compromised.

Incident Response Planning

Have a specific incident response plan for supply chain account compromise:

  • How to quickly revoke compromised credentials.
  • How to audit what was changed during the compromise window.
  • How to notify downstream consumers if malicious packages were published.
  • How to work with registries to remove malicious versions.

For Open-Source Maintainers

Individual maintainers can protect themselves:

  • Use security keys for all development-related accounts.
  • Enable login notifications and review them.
  • Be skeptical of unsolicited collaboration requests.
  • Verify security reports through official channels, not email links.
  • Use a dedicated email address for package registry accounts.
  • Enable two-person review for package publishing when possible.

How Safeguard.sh Helps

Safeguard.sh provides a safety net for when phishing attacks succeed despite preventive measures. By continuously monitoring your dependency graph and validating component integrity through SBOMs, Safeguard.sh detects when a compromised maintainer account is used to publish malicious package versions. The platform's vulnerability monitoring tracks known supply chain compromises in real time, alerting your team when affected packages appear in your dependency tree. Policy gates can enforce approval workflows before new dependency versions enter your pipeline, adding a verification layer that catches compromised packages before they reach production -- even when the attack originated from a legitimate, phished account.

phishingemail-securitysocial-engineeringsupply-chain
Back to all articles

More on #phishing

View all →
Supply Chain Attacks

OSS Maintainer Account Takeover Trends 2025

7 min read
Incident Response

Dropbox Breach: Phishing Attack Exposes 130 Private GitHub Repositories

6 min read
Incident Response

0ktapus: The Phishing Campaign That Hit Cloudflare, Twilio, and 130+ Organizations

6 min read
Incident Analysis

Azure AD Token Theft Campaigns: A 2022 Retrospective

7 min read

Related articles in Social Engineering

Social Engineering

Mailchimp Social Engineering Breach: How an Employee Hack Compromised Crypto Customers

A social engineering attack on Mailchimp employees gave attackers access to internal tools, which they used to target cryptocurrency companies and their customers in a downstream phishing campaign.

April 4, 2022Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.