← Lessons

quiz vs the machine

Platinum1820

Security

Supply Chain Attacks

How attackers compromise the dependencies and build pipeline instead of your own code.

6 min read · advanced · beat Platinum to climb

What Supply Chain Attacks Are

A supply chain attack targets the components and tooling you trust rather than your application code directly. By compromising a popular library, a build server, or an update mechanism, an attacker can reach every organization that consumes the poisoned artifact.

Common Vectors

  • Malicious packages published to a registry, sometimes via typosquatting a popular name.
  • Account takeover of a maintainer who then ships a backdoored release.
  • Build pipeline compromise that injects malicious code during compilation, even when the source looks clean.
  • Dependency confusion, where an internal package name is shadowed by a public one.

Defenses

  • Pin exact versions with a lockfile and verify integrity hashes on install.
  • Generate a software bill of materials so you know every component you ship.
  • Restrict and authenticate the build pipeline, and isolate it from untrusted input.
  • Scope internal scopes and registries to prevent dependency confusion.

Key idea

Defend the whole pipeline, not just your code: pin and verify dependencies, build a bill of materials, and harden the build system against tampering.

Check yourself

Answer to earn rating on the learn ladder.

1. What is dependency confusion?

2. How does a lockfile with integrity hashes help?

3. Why is the build pipeline a high value target?