Skip to content

Supply Chain Attack

Spicy — senior dev territorySecurity

ELI5 — The Vibe Check

A supply chain attack is when a hacker doesn't attack YOU — they attack something you depend on. They compromise an npm package, a Docker base image, a CI/CD tool, or a build dependency. When you install or update it, you get their malicious code for free. It's like poisoning the water supply instead of individual houses. One compromised package can infect thousands of projects.

Real Talk

Supply chain attacks target the software development and distribution pipeline — compromising dependencies, build tools, CI/CD systems, or package registries to inject malicious code into downstream consumers. Notable examples include the SolarWinds attack (2020), ua-parser-js hijack (2021), and xz utils backdoor (2024). Defenses include dependency pinning, lockfile verification, SBOM generation, Sigstore signing, and tools like Socket.dev and Snyk for dependency scanning.

When You'll Hear This

"The xz backdoor was the scariest supply chain attack — it almost hit every Linux server." / "Pin your dependencies and verify checksums to reduce supply chain risk."

Related Terms

npm

npm is like a vending machine for code. You say 'I want React' and it delivers React, plus React's 47 friends, plus their friends' friends.

beginnerGeneral Dev

SBOM (SBOM)

An SBOM (Software Bill of Materials) is a complete ingredient list for your software — every library, framework, and dependency with their exact versions.

intermediateSecurity

Vulnerability

A vulnerability is a weakness in your code or system that a bad guy could exploit. Like a broken lock on a door.

beginnerSecurity
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.