SBOM.DAY

2026-03-12
Critical

Critical Supply-Chain Vulnerability Found in Popular npm Package Manager

A newly disclosed zero-day in a widely-used dependency resolution tool affects over 14,000 packages across the npm ecosystem.

Today's Briefing

1.

npm supply-chain zero-day affects 14K+ packages

NVD2h ago
2.

CISA mandates SBOM submission for federal contractors by Q4

CISA4h ago
3.

CycloneDX 1.7 release adds ML model transparency fields

OWASP6h ago
4.

EU Cyber Resilience Act SBOM requirements enter consultation phase

EC8h ago
5.

SPDX 3.1 draft specification open for community review

Linux Foundation12h ago

Vulnerability Tracker

CVE IDPackageSeveritySBOM Impact
CVE-2026-1847npm-resolver9.8Direct dependency
CVE-2026-1832libxml27.5Transitive
CVE-2026-1819openssl7.2Direct dependency
CVE-2026-1804log4j-core5.3Transitive
CVE-2026-1791flask3.1Dev dependency
Weekly Analysis · Week 11, 2026

SBOM Adoption Reaches Critical Mass in Federal Sector

This week's CISA mandate announcement marks a turning point: 92% of federal agencies now have SBOM generation pipelines in place, up from just 34% in 2024. The mandate's Q4 deadline for contractor compliance will impact an estimated 8,400 vendors.

On the standards front, CycloneDX 1.7's addition of ML model transparency fields positions it as the first SBOM format to address AI supply-chain risks — a space where 67% of organizations report zero visibility.