Supply chain failures occur when malicious or vulnerable code enters your application through third-party dependencies, compromised build systems, or tampered distribution channels. A single compromised package can affect millions of applications.
Attackers publish packages with harmful code or hijack existing ones
Examples: event-stream, ua-parser-js
Packages with names similar to popular libraries to trick developers
Examples: lodahs, reacct, axois
Exploiting package manager resolution to inject malicious code
Examples: Internal package name collision
Attackers infiltrate CI/CD pipelines to inject backdoors
Examples: SolarWinds, Codecov
Using libraries with known security vulnerabilities
Examples: Log4j, Struts, OpenSSL
Dependencies no longer receiving security updates
Examples: Abandoned npm packages
Attackers compromised the build pipeline to inject SUNBURST backdoor into software updates
Critical RCE vulnerability in widely-used logging library allowed arbitrary code execution
Maintainer account compromised, malicious versions published with cryptominer
Multi-year social engineering attack to become maintainer and insert SSH backdoor
Modified bash script exfiltrated environment variables and secrets from CI pipelines
New maintainer added malicious dependency targeting Bitcoin wallets
Built by an OWASP Member • Part of the OWASP Web Security Lab Series