What is Supply Chain Attack?

Supply chain attacks compromise software before it reaches end users by targeting dependencies, build systems, or distribution channels. Examples include typosquatting (malicious packages with similar names on PyPI/npm), compromised maintainer accounts, backdoored updates (SolarWinds attack), and poisoned CI/CD pipelines. Defense measures include pinning dependency versions, using lock files, verifying package signatures, scanning dependencies for known vulnerabilities (npm audit, pip-audit, Snyk), using private package registries, implementing Software Bill of Materials (SBOM), and practicing least-privilege in build systems. The Log4Shell vulnerability demonstrated how a single dependency can impact millions of applications.