A supply-chain worm is malware that spreads through trusted software workflows instead of only infecting one computer. It can move via package registries, source-control accounts, build scripts, CI/CD automation, or shared credentials, using the permissions that developers and systems already trust.
This matters because a single stolen token, API key, or signing secret can let an attacker publish malicious packages, alter source code, trigger workflows, or reach cloud and cluster infrastructure. In defense, teams reduce the blast radius with short-lived credentials, secret scanning, token revocation, least-privilege IAM roles, protected package publishing, and careful review of automated build and deployment paths.



