โ† Back to all modules
๐Ÿ“ฆ
โš™๏ธ Security Engineers ยท Module 6

Supply Chain Security

Audit your dependencies before they audit you โ€” master npm audit, lockfiles, SBOMs, typosquatting defense, and cryptographic package signing with Sigstore.

๐ŸŽฏ

The Software Supply Chain Threat Landscape

In 2024, the xz/liblzma backdoor (CVE-2024-3094) demonstrated that even core open-source infrastructure can be compromised by a patient, sophisticated attacker who spent two years building trust as a maintainer. Your side projects are built on the same ecosystem.

Every npm install, pip install, or cargo add pulls code written by strangers into your project. That code runs with the same permissions as your application โ€” which often means access to your filesystem, network, environment variables, and secrets.

The Attack Surface

Your Side Project
โ”œโ”€โ”€ package.json (12 direct dependencies)
โ”‚   โ”œโ”€โ”€ express (30 transitive deps)
โ”‚   โ”œโ”€โ”€ axios (4 transitive deps)
โ”‚   โ”œโ”€โ”€ jsonwebtoken (8 transitive deps)
โ”‚   โ””โ”€โ”€ ... (total: ~400 packages)
โ”œโ”€โ”€ Each package has:
โ”‚   โ”œโ”€โ”€ install scripts (run during npm install)
โ”‚   โ”œโ”€โ”€ publish access (whoever controls the npm token)
โ”‚   โ””โ”€โ”€ transitive dependencies (you didn't choose these)

A typical Node.js project has 200-1000+ packages in node_modules. You chose maybe 15 of them. The rest were pulled in transitively, and any one of them can execute arbitrary code.

Real Supply Chain Attacks

event-stream (2018)

A popular npm package (2M+ weekly downloads) was transferred to a new maintainer who injected code targeting a specific Bitcoin wallet application. The malicious code was hidden in a minified dependency called flatmap-stream.

// The attack was obfuscated, but in essence:
// If the app was Copay (Bitcoin wallet):
//   1. Steal wallet private keys
//   2. Exfiltrate to attacker's server

ua-parser-js (2021)

A maintainer's npm account was compromised. Malicious versions were published that installed cryptominers and credential stealers. 8M+ weekly downloads affected.

colors/faker (2022)

The maintainer of colors and faker (both extremely popular) deliberately sabotaged their own packages, adding infinite loops that printed garbage text. This was protest, not malice, but demonstrated the risk of depending on a single unpaid maintainer.

xz/liblzma (2024)

A sophisticated, multi-year social engineering campaign. The attacker:

  1. Built trust as a legitimate contributor over 2+ years
  2. Gradually gained commit access and became a co-maintainer
  3. Injected a backdoor into the build system (not even visible in the source code)
  4. The backdoor targeted SSH authentication on Linux systems

This wasn't a drive-by attack โ€” it was a patient, well-resourced operation that nearly compromised every Linux distribution.

Why Side Projects Are Targets

You might think: "Who would target my todo-app?" But supply chain attacks aren't targeted at your project specifically. They:

  1. Cast a wide net: Compromising a popular package hits millions of projects at once
  2. Target the developer machine: Your npm install runs with YOUR user permissions on YOUR machine โ€” accessing YOUR SSH keys, AWS credentials, and browser cookies
  3. Use your project as a stepping stone: If your side project's CI/CD has access to cloud infrastructure, a compromised dependency gets that access too

The threat is not to your todo-app. The threat is to your development environment and everything it touches.

1 / 5

๐Ÿ›ก๏ธ CyberSafe โ€” Online safety training for the whole family.