By name: supply-chain-overview description: > Use when the engagement scope includes supply-chain attack simulation — typosquatted package publication, dependency confusion, GitHub Actions secret mining, internal mirror poisoning, OAuth-app impersonation, or vendor portal credential abuse. metadata: subdomain: supply-chain when_to_use: "supply chain typosquat dependency confusion gh actions secret oauth app impersonation internal mirror poisoning vendor portal" tags: supply-chain, typosquatting, dep-confusion, gh-actions, oauth-app mitre_attack: T1195, T1195.001, T1195.002, T1199, T1136, T1543
Supply Chain Operator Skill Catalog
Supply-chain attacks have grown 1,300% since 2020 per Decepticon's own
ai-red-teaming.md. This catalog
gives the agent the playbooks to simulate the most common patterns —
all in a sandbox-isolated mode that publishes to a local mock registry by
default and to a real one only with supply_chain_real_publish=true in
ConOps.
Playbooks
| Skill | Use for |
|---|---|
/skills/standard/supply-chain/typo-name-gen/SKILL.md |
Generate typosquat candidates for a target package; reachability + popularity score |
/skills/standard/supply-chain/dep-confusion-probe/SKILL.md |
Check whether an internal package name is squat-able on PyPI / NPM / RubyGems / NuGet |
/skills/standard/supply-chain/post-install-script/SKILL.md |
Author + sandboxed publish of a benign post-install probe |
/skills/standard/supply-chain/gh-actions-fork-pr/SKILL.md |
Fork-PR secret mining; pull_request_target misconfiguration scan |
/skills/standard/supply-chain/oauth-app-impersonation/SKILL.md |
Lookalike OAuth app + scope-creep social engineering |
/skills/standard/supply-chain/internal-mirror-poison/SKILL.md |
Verdaccio / Artifactory / Nexus index manipulation |
/skills/standard/supply-chain/sbom-divergence/SKILL.md |
Audit SBOM vs actual installed packages for drift |
/skills/standard/supply-chain/vendor-portal-creds/SKILL.md |
SaaS vendor admin portal credential abuse paths |
Dry-run mode
All publish-mode skills accept a --dry-run flag that:
- Generates the typosquat package contents in
/workspace/typo-pkg/. - Builds the artifact (
.tar.gz,.tgz, etc.) without uploading. - Computes the "hit probability" via the target package's historical download counts + Levenshtein distance.
- Reports the artifact location + hit probability for human review.
Real publish requires both supply_chain_real_publish=true in ConOps AND
operator HITL approval at the moment of publish. Defense in depth.
GitHub Actions attack surface
Most rewarding attack class in 2024-2026. Common misconfigurations:
pull_request_targetwithactions/checkoutof${{ github.event.pull_request.head.sha }}→ fork PRs run with target-repo secrets.workflow_runtriggers readinginputswithout sanitization.${{ github.event.pull_request.title }}interpolated into shell.- Shared
GITHUB_TOKENwith write scope oncontents.
The gh-actions-fork-pr skill encodes the full enumeration: search the
target org's workflows, identify exploitable patterns, build a PoC fork
PR that exfiltrates secrets.* without modifying the workflow file
itself (so the operator's PR doesn't look obviously malicious to a human
reviewer).
Detection emission
For every simulated attack, the Detector agent produces:
- A Sigma rule for the SIEM (e.g., unusual
npm installin CI logs,actions/checkout@followed bysecrets.*reference patterns). - A GitHub Actions YAML linter rule for the customer's pre-merge checks.
- A SLSA attestation gap report.
Out of scope
Real-world publication that could harm third parties (other companies
who consume the customer's internal packages). The dep-confusion-probe
explicitly avoids this by checking name availability without uploading;
the operator decides whether to follow through.