Supply Chain Attack
ELI5 — The Vibe Check
A supply chain attack is when hackers don't attack your code — they attack the code your code depends on. That npm package with 10 million downloads? What if someone slips malicious code into a new version? Your next npm install pulls it in automatically and now your app is compromised. You didn't write the vulnerability. You installed it. And so did 10 million other projects.
Real Talk
A supply chain attack targets the software development and distribution pipeline rather than the end application directly. Attack vectors include compromising package registries (npm, PyPI), hijacking maintainer accounts (typosquatting, social engineering), injecting malicious code into build systems, or tampering with CI/CD pipelines. Notable incidents include the event-stream attack (2018), ua-parser-js (2021), and xz-utils (2024).
When You'll Hear This
"The xz-utils backdoor was a multi-year supply chain attack that nearly compromised every Linux server." / "We audit every dependency update because supply chain attacks are real."
Related Terms
Dependency
A dependency is a package your project relies on to work. Your app depends on React to render UI, axios to make requests, and dotenv to read config.
npm
npm is like a vending machine for code. You say 'I want React' and it delivers React, plus React's 47 friends, plus their friends' friends.
Package Manager
A package manager is the app store for your code — it downloads libraries, manages versions, and makes sure everything plays nice together. It's like a gro
SBOM
An SBOM is a complete ingredient list for your software — every library, every dependency, every version. Like food nutrition labels but for code.
Vulnerability
A vulnerability is a weakness in your code or system that a bad guy could exploit. Like a broken lock on a door.