Supply Chain Attack

A supply chain attack compromises a vendor, build pipeline, or upstream dependency to deliver malicious code to downstream consumers.

Definition

A supply chain attack compromises one element of the software supply chain — a vendor's build pipeline, an open-source maintainer's account, a CI/CD provider, a code-signing key — to deliver malicious code to every downstream consumer of the compromised artefact. The blast radius is the entire user base, not a single target. SolarWinds (2020, CVE-2020-10148 and adjacent) is the modern emblem; `event-stream` (2018), `xz-utils` (2024, CVE-2024-3094), and `shadow-go-modules` typosquats fill out the genre.

Supply chain attacks raise hard architectural questions about trust: how much do you trust your build pipeline? Your dependencies' dependencies? The signing keys of every package manager? SBOMs and provenance attestations (SLSA) are partial answers; reproducible builds and minimised attack surfaces are the others.

Mitigation

Pin dependencies by version + hash. Verify provenance attestations (SLSA). Restrict CI / CD systems' privileges. Audit any newly-introduced transitive dependency. Treat your build pipeline as a production system.

Examples

  • CVE-2020-10148 — SolarWinds Orion supply-chain compromise.
  • CVE-2024-3094 — xz-utils backdoor in upstream tarball.

See also

References