Events›Beyond SBOMs: The Future of Container Supply Chain Security

Beyond SBOMs: The Future of Container Supply Chain Security

When a single phished NPM maintainer led to 18 compromised libraries—including Chalk and Debug, downloaded billions of times weekly—it proved one thing: basic SBOMs alone aren't enough. But when the recent "Mini Shai Hulud" worm and its family of variants began silently tunneling through CI/CD pipelines to infect downstream containers, it proved our entire approach to build-time security needs a massive upgrade.

Invite Me to Speak

Talk Deliveries

WeAreDevelopers World Congress 2026

July 10, 2026

Berlin, Germany

Details

DevOpsDays Zurich 2026

May 6, 2026

Zurich, Switzerland

Details Watch

In this talk, Docker Captain Mohammad-Ali A'râbi explores how modern supply-chain attacks are evolving—from the blast radius of the September 2025 NPM breach to the stealthy, self-propagating nature of the Mini Shai Hulud attacks—and how the next generation of tools can stop them in their tracks.

Key Takeaways

🧠 Deconstruct the latest threats: Understand how the 2025 NPM attack happened, how the new Mini Shai Hulud family of worms tunnels through build environments, and why traditional SBOMs are blind to both.
📦 Lock down the perimeter: Pin & lock dependencies to prevent malicious updates and rogue variants from sneaking into your codebase.
🧱 Enforce cryptographic trust: Generate, sign, and verify attestations using BuildKit + Cosign + Docker Scout to ensure what you build is exactly what you ship.
🔒 Adopt zero-trust pipelines: Implement SLSA levels + OCI 1.1 referrers to have trusted visibility on your supply chain.
🧰 Defend proactively: Walk away with seven practical strategies—including blocking lifecycle scripts (the vector for Shai Hulud), sandboxing AI agents, and using hardened images.