⌒
⌒
The modern attack surface now spans the entire software supply chain, covering everything from source code and CI/CD pipelines to dependencies, registries, and distribution systems. This expanded exposure has made supply chain attacks one of the top three risks in the OWASP Top 10.
In this workshop, participants will look at real case studies, including recent npm attacks, and learn how attackers take advantage of weak points in the software supply chain. To help defend against these risks, attendees will learn how to create and understand SBOMs, sign important artifacts, and set up strong checks to make sure every part of their software pipeline is verified and trustworthy.
The modern attack surface now spans the entire software supply chain, covering everything from source code and CI/CD pipelines to dependencies, registries, and distribution systems. This expanded exposure has made supply chain attacks one of the top three risks in the OWASP Top 10.
In this workshop, participants will look at real case studies, including recent npm attacks, and learn how attackers take advantage of weak points in the software supply chain. To help defend against these risks, attendees will learn how to create and understand SBOMs, sign important artifacts, and set up strong checks to make sure every part of their software pipeline is verified and trustworthy.
This workshop provides a practical and technical understanding of how modern software is built, the components involved, and where supply chain risks emerge. We cover source control, CI/CD, dependencies, containers, cloud integrations, and AI-related risks. Using recent incidents like the s1ngularity and Shai-Hulud attacks, we show how malicious packages execute during builds, steal credentials, and bypass common detection gaps.
Participants will perform offensive exercises, including exploiting dependency confusion by publishing a malicious package and analysing vulnerable SBOMs using depconfuse. We demonstrate how secrets are exposed through hardcoded credentials, long-lived AWS IAM keys in GitHub, bypassing GitHub’s secret masking, and exfiltrating secrets with a malicious PR. We then explain how organisations can prevent this using GitHub OIDC.
The workshop also covers repojacking and typesquatting attacks, showing how renamed or deleted repos and lookalike package names are abused, along with methods to detect these threats.
On the defence side, we teach SBOM fundamentals (CycloneDX and SPDX), key fields, and the differences between flat and transitive SBOMs, followed by generating an SBOM in a hands-on lab. We also cover signing code, artifacts, SBOMs, and container images using cosign. Finally, we explain the SLSA framework and practical controls teams can adopt to strengthen software supply chain security.
Security Engineering Leader
Scapia
Akhil Mahendra is a seasoned security engineering leader with over 8 years of experience building security teams in high-growth fintech startups. He currently leads security at Scapia, a fast-growing fintech startup, where he is building security foundations from the ground up. Previously, he was a founding member of the security team at CRED, where he helped build and scale the product security function and established charters for security engineering and software supply chain security. He is the creator of several open-source security tools, including SupplyShield, DepConfuse, and Patronus, which address critical gaps in software supply chain security, dependency confusion. His work has been featured at Nullcon, OWASP AppSec Days, Black Hat and is actively used by engineering teams to shift security left without compromising development velocity. Akhil is also an active contributor to the security community. As a former member of Team bi0s, India’s top-ranked CTF team, he has won numerous competitions and helped organize national contests like InCTF, promoting offensive security education across the country.
Security Engineer
CRED
Yadhu is a passionate Security Engineer, currently leading the software supply chain security charter at CRED, with over four years of experience in security. He specializes in identifying security vulnerabilities and building scalable security solutions. He has been a speaker at prominent security conferences, including Nullcon, BlackHat Asia and BlackHat Europe. As an open-source enthusiast and core maintainer of the SupplyShield project, he actively contributes to improving software supply chain security. He has reported high-severity security issues in critical projects such as Node.js, Gunicorn, and Safari, earning multiple CVEs for his work. He also has been part of team bi0s (India’s top CTF team) as a mentor, CTF player, and challenge creator.
Date
February 19, 2026
Time
09:00 AM
Location
Goa, India