Supply Chain Attack

A supply chain attack is a cyberattack that targets a less-secure element in the software or hardware supply chain rather than attacking the intended victim directly. Instead of breaching a hardened target head-on, attackers compromise a trusted supplier—such as a software vendor, an open source package, or a build and deployment system—and use that foothold to reach many downstream organisations at once.

Common vectors include injecting malicious code into a popular open source library, compromising a CI/CD pipeline to tamper with build artefacts, or poisoning a package registry. Because the malicious payload arrives via a trusted channel, it often bypasses traditional perimeter defences.

Mitigations include software composition analysis (SCA), signed artefacts and provenance attestation (e.g. SLSA), dependency pinning, and monitoring CI/CD pipeline integrity.