```
The building blocks for tomorrow's most damaging supply chain attacks are already being bought and sold on underground forums today, according to research from threat intelligence firm Flare. Access credentials for GitHub repositories, leaked source code, and stolen API keys are all openly traded commodities — and together they form an early warning system that most organisations are failing to monitor.
A Marketplace for Attack Components
The findings, published in a report covered by BleepingComputer, reveal that cybercriminal forums and dark web marketplaces have evolved into specialised bazaars where different stages of a supply chain attack are sold separately by distinct actors. One vendor might sell authenticated access to a developer's GitHub account. Another specialises in dumping API keys scraped from public repositories or exfiltrated from compromised environments.
This division of labour is significant. Where supply chain attacks were once the domain of highly skilled operators — the SolarWinds compromise of 2020 being a prominent example — the underground economy has increasingly commoditised the process. Credential brokers focus on harvesting and selling access, while weaponisers concentrate on exploiting it. The technical barrier to executing a damaging supply chain breach is dropping accordingly.
The Composability Problem
What makes this marketplace model particularly dangerous is what security analysts describe as the "composability" of attacks. A threat actor does not need to compromise an entire software pipeline in a single operation. Instead, they can assemble a complete attack chain by purchasing individual components from different sellers: a GitHub credential from one listing, a leaked API key from another, and perhaps a set of developer email addresses from a third.
Each purchase alone may appear low-risk. Together, they can give an attacker the ability to push malicious code into a widely used dependency, exfiltrate proprietary source code, or inject backdoors into a CI/CD pipeline. The fragmented nature of the marketplace mirrors the fragmented nature of modern software development itself — and that is precisely what makes it effective.
Signals Hiding in Plain Sight
Flare's research underscores that these transactions leave traces long before an actual breach occurs. A GitHub access token appearing on a forum, a repository dump surfacing on a paste site, or API credentials listed for sale — these are the early indicators of supply chain risk. Yet most organisations lack the visibility to detect them.
The implication is straightforward: monitoring the dark web for mentions of an organisation's digital assets is no longer an advanced threat intelligence capability reserved for large enterprises. It is becoming a baseline expectation for any entity that contributes to or depends on the software supply chain.
Credential Hygiene as a First Principle
Beyond monitoring, the research reinforces a foundational security principle that remains stubbornly underimplemented: credential management. Short-lived access tokens, hardware-based authentication, automated secret scanning in repositories, and strict access controls on code hosting platforms are all well-understood defences. The continued prevalence of GitHub credentials and API keys on underground markets suggests that adoption of these practices lags far behind the threat.
For open-source maintainers, who often operate with limited resources under high-trust models, the risk is amplified. A single compromised maintainer account can cascade through thousands of downstream dependencies — a reality the open-source community has confronted repeatedly in recent years.
What This Means for the Broader IT Community
The findings are broadly relevant to developers, DevOps engineers, and security teams worldwide. For IT professionals in any region, including Hong Kong's growing technology sector, the research serves as a reminder that supply chain security begins long before an attacker is inside the network. The signals are already there, traded openly on forums that security researchers routinely access — the question is whether organisations are paying attention.
Treating dark web monitoring and rigorous credential hygiene as standard components of supply chain risk management is no longer aspirational. Given the pace at which the cybercrime ecosystem is industrialising these operations, it is becoming a minimum requirement for responsible software stewardship.
威脅情報公司Flare的研究指出,構成未來最具破壞性供應鏈攻擊的基本要素,如今已在地下論壇上被買賣。GitHub程式碼庫的存取憑證、洩露的原始碼以及被盜的API key,均成為公開交易的商品——而這些要素共同形成了一個預警系統,但大多數機構都未能對其進行監控。
攻擊組件的市場
該研究結果發表於一份由BleepingComputer報導的報告中,揭示了網絡犯罪論壇和暗網市場已演變為專業化的市集,供應鏈攻擊的不同階段由不同行為者分開銷售。一名供應商可能銷售對開發者GitHub帳戶的經認證存取權限。另一名供應商則專門出售從公開程式碼庫抓取或從受入侵環境竊取的API key。
這種分工具有重要意義。供應鏈攻擊一度是高度熟練操作者的領域——2020年的SolarWinds入侵事件是一個突出例子——而地下經濟已日益將這一過程商品化。憑證經紀商專注於收集和販賣存取權限,而武器化專家則專注於利用這些權限。執行一次具破壞性的供應鏈入侵的技術門檻正因此相應降低。
組合性問題
安全分析師將這種市場模式描述為攻擊的「組合性」,使其尤為危險。威脅行為者無需在單次操作中入侵整個軟件供應鏈。相反,他們可以通過從不同賣家處購買單獨組件來組裝一個完整的攻擊鏈:從一個列表購買GitHub憑證,從另一個購買洩露的API key,或許再從第三處獲取一組開發者電郵地址。
單獨來看,每次購買可能風險很低。但它們結合起來,可以使攻擊者有能力將惡意程式碼推送到一個廣泛使用的依賴項中、竊取專有原始碼,或向CI/CD pipeline注入後門。市場的分散性質反映了現代軟件開發本身的分散性——而這正是其有效的原因。
顯而易見的信號
Flare的研究強調,這些交易在實際洩露發生前很久就已留下痕跡。出現在論壇上的GitHub存取token、浮現於Pastebin的程式碼庫dump、或標價出售的API憑證——這些都是供應鏈風險的早期指標。然而,大多數機構缺乏偵測它們的可見性。
其含義很直接:監控暗網中關於組織數碼資產的提及,已不再是僅限於大型企業的高級威脅情報能力。對於任何參與或依賴軟件供應鏈的實體而言,這正成為基本的預期要求。
以憑證管理為首要原則
除了監控,這項研究強化了一個基礎但仍未被充分實施的安全原則:憑證管理。短期存取token、基於硬體的身份驗證、程式碼庫中的自動化secret scanning,以及對程式碼託管平台的嚴格存取控制,這些都是廣為人知的防禦措施。地下市場上持續出現GitHub憑證和API key表明,這些實踐的採用率遠遠落後於威脅。
對於資源有限、通常基於高信任模型運作的開源軟件維護者而言,風險被放大。單個受入侵的維護者帳戶可能波及數千個下游依賴項——這是開源社群近年來反覆面對的現實。
對更廣泛IT社群的意義
這些發現對全球的開發者、DevOps工程師和安全團隊具有廣泛的相關性。對於任何地區的IT專業人員,包括香港不斷發展的科技行業,這項研究提醒我們,供應鏈安全早在攻擊者進入網絡之前就已開始。信號早已存在,並在安全研究人員經常訪問的論壇上公開交易——問題在於各組織是否正予以關注。
將暗網監控和嚴格的憑證管理視為供應鏈風險管理的標準組成部分,已不再是遙不可及的目標。鑑於網絡犯罪生態系統正將這些操作工業化的速度,這正成為負責任軟件管理的最低要求。