Supply chain attacks are exploiting our assumptions
16 days ago
- #supply-chain-security
- #cyberattacks
- #software-dependencies
- Supply chain attacks exploit trust in software dependencies, targeting assumptions about package names, maintainers, and build processes.
- Recent attacks include typosquatting, dependency confusion, stolen credentials, and compromised build pipelines, affecting millions of systems.
- Implicit trust in package managers (e.g., npm, pip, cargo) is weaponized, with attackers exploiting weak verification and over-reliance on maintainers.
- Notable incidents: XZ Utils backdoor (2024), PyTorch malware (2022), SolarWinds (2020), and npm/crates.io typosquatting campaigns.
- New defenses include TypoGard/Typomania (typosquatting detection), Zizmor (GitHub Actions security), PyPI Trusted Publishing, and Homebrew attestations.
- Capability analysis (e.g., Go Capslock) shifts focus from code origin to what code can do, flagging unexpected behaviors like network access.
- Key questions for developers: How does your ecosystem block typosquats? Can you verify build provenance? Do you know your dependencies' capabilities?
- Adopt tools like Trusted Publishing, Zizmor, and attestations to make trust explicit and verifiable, reducing supply chain risks.