EP270 The Convenience Tax: Why We Keep Failing at Supply Chain Security

EP270 The Convenience Tax: Why We Keep Failing at Supply Chain Security

From Cloud Security Podcast by Google by Anton Chuvakin

April 6, 2026 · 27 min · Season 1 · Episode 270

About this episode

The episode discusses the challenges of supply chain security and the impact of convenience on security practices.

Guest: Dan Lorenc , Founder / CEO, Chainguard Topics: We just saw a security tool (Trivy) get used to pop an AI infrastructure tool (LiteLLM) to eventually pop end users. Have we reached the point where our security tooling is actually our largest unmanaged attack surface? Why now? Software supply chain security had the perennial vibe of "not top concern" for most organizations, right? TeamPCP pushed malicious code to existing GitHub tags. We've been screaming about pinning versions to SHAs for years, but clearly, nobody is listening. Is it time to admit that 'convenience' is the primary enemy of supply chain security? The Axios incident showed a victim compromised in under two minutes. In a world of auto-updating dependencies, is the concept of a human-in-the-loop for software updates officially dead, or do we need to look very hard at version pinning and such? With XZ Utils case, we saw a long-game social engineering attack. Beyond just 'watching npm closely,' what are the realistic architectural safeguards for an org that knows they can't audit every line of an update? We've spent the last three years talking about SBOMs (Software Bill of Materials) like they were a pill for…

People in this episode

Host: Anton Chuvakin

Guest: Dan Lorenc

Topics covered

  • supply chain security
  • security tooling
  • malicious code
  • version pinning
  • software updates
  • architectural safeguards
  • credential exfiltration

Keywords

  • supply chain security
  • security tooling
  • malicious code
  • version pinning
  • SBOM
  • CI/CD
  • credential exfiltration

Mentioned in this episode

Organizations: Chainguard, GitHub, Axios

Products: Trivy, LiteLLM, XZ Utils, SBOMs

Places: npm

More episodes of Cloud Security Podcast by Google

Explore listener stats, chart rankings, contacts and more on the Cloud Security Podcast by Google podcast page.