What it is
A supply chain attack ships malicious code through a package you trust. Front end builds pull in many transitive dependencies, and any one of them runs in your bundle and your users browsers.
How it happens
- A maintainer account is compromised and a new version is published with hidden code.
- A typosquatted package with a near identical name is installed by mistake.
- A build or install script runs arbitrary code during the install.
Defenses
- Commit a lockfile so installs are reproducible and reviewable.
- Pin versions and review diffs before upgrading.
- Run audit tooling to flag known vulnerable versions.
- Reduce blast radius with integrity hashes and fewer dependencies.
Build time versus runtime
Some attacks run during install on your build machine, stealing secrets from the CI environment. Others ship code that runs in the browser. Both matter, so protect the build and the bundle.
Key idea
Front end dependencies run in your build and your users browsers; lockfiles, audits, and minimal trust shrink supply chain risk.