At the RSA Conference this week, government officials and cybersecurity executives mulled over the multiple layers of challenges in securing the software supply chain.
An intrusion at a separate company led to the supply chain attack on 3CX that was disclosed last month, investigators said.
GitHub is launching two new features that enable developers to create a private vulnerability reporting channel and provide provenance attestations for their packages.
The supply chain attack against 3CX may have been planned for more than a year, and such intrusions are the best return on investment for attackers, researchers say.
CircelCI said it is investigating a security incident and warned customers to rotate all of the secrets stored in the service.