// first 10 minutes
supply chain compromise — quick-start
supply chain compromise — first 10 minutes. pin the malicious version, identify blast radius. print this, check boxes, then run the primary tools.
checklist
- identify the exact package name, malicious version, and first-published timestamp from the package registry advisory.
- pin or yank the affected version from your internal registry or package manager config — prevent new installs.
- query your CI/CD artifact cache and lock files for builds that pulled the malicious version.
- identify all production deployments built after the malicious version was published.
- export package-lock.json, yarn.lock, or requirements.txt from every affected pipeline run for the exposure window.
- pull code signing certificate logs — did the attacker push a signed release? note cert serial and publisher.
- export network egress logs for any system that ran builds containing the malicious package — beacon IPs matter.
- preserve the malicious package tarball from the registry before the registry removes it — hash sha-256.
- identify all maintainer accounts that had publish access to the affected namespace — note account age and MFA status.
- begin the primary tool path below — supply chain compromise analyzer and package diff tool.
primary tools
- 01yara scannerwrite YARA-like rules · scan any file locally · string and byte pattern matching · condition logic · export match report · runs locally
- 02yara rule scannerwrite YARA rules or use 50+ built-in rules · drop any binary to scan · condition matching · string search · hex patterns · offset anchors · export matches · runs locally
- 03pe analyzerdrop a Windows executable · parse PE headers · sections · imports · exports · entropy per section · detect packers · imphash · runs locally
- 04pe static analyzerdrop any .exe · .dll · .sys · parse PE headers · import table · suspicious API categories · section entropy · packer fingerprint · anomaly detection · export report · runs locally
- 05PE compile timestamp vs filesystem timestamp conflict detectordrop mft csv or file listing with pe headers · extract compile timestamps from pe headers · detect files with filesystem timestamps earlier than their compile timestamp · surface impossible binaries indicating timestomping · runs locally
- 06imphash calculatordrop a PE file · compute Mandiant-style import hash · list all imports · compare with known samples · runs locally
- 07binary compiler and language identifierdrop pe elf or macho binaries · identify compiled language · go rust nim python compiled dlang zig · detect compiler version · extract build metadata · language-specific string patterns · runs locally
- 08source code style forensic fingerprinterdrop source code or decompiled text · analyze indentation · naming · comments · apis · stylometric fingerprint · compare authorship · runs locally