What is a supply chain attack?

A supply chain attack targets the less-secure elements in a software or service supply chain — third-party vendors, open-source libraries, build tools, or update mechanisms — rather than attacking the primary target directly. The attacker compromises a trusted supplier to reach their actual targets at scale. Famous examples: SolarWinds (2020): attackers inserted malicious code into SolarWinds' Orion software update, compromising 18,000+ organizations (including US government agencies). XZ Utils (2024): malicious backdoor inserted into a popular Linux compression library via a long-term social engineering campaign on the maintainer. npm package hijacking: event-stream and colors npm packages were compromised. Defense: (1) Software Composition Analysis (SCA): track and audit all dependencies. (2) Dependency pinning: pin exact versions with hash verification. (3) Vendor security assessments. (4) SBOM (Software Bill of Materials): inventory all components. (5) Build pipeline security: sign artifacts, verify provenance (SLSA framework).