SigstoreCon Supply Chain Day 2024

Attackers are increasingly exploiting the trust-based, interconnected nature of the open source supply chain, with malware being distributed through package ecosystems, often hidden within the complexity of upstream dependencies. In this talk, we will showcase how Sigstore provenance can serve as a powerful source of truth for verifying package proof-of-origin. The absence of clear provenance, combined with other metadata signals, can act as a strong indicator of potential malicious intent. As a case study, we will discuss a recent spike in DPRK state-sponsored attacks hosted on NPM, where APT groups aimed to harvest cryptocurrencies and establish backdoors on developer machines. Attendees will gain valuable insights into the critical role Sigstore plays in supply chain threat detection, and understand how its broader adoption can help protect the entire ecosystem. By promoting stronger provenance verification, the community can more effectively distinguish between legitimate packages and harmful imitations.