Back to Blog
Threat Intelligence3 min read

Defending Against Software Supply Chain Attacks

Security TeamJanuary 20, 2026
supply chaindependenciesSCASBOM

Defending Against Software Supply Chain Attacks

Software supply chain attacks have surged dramatically. From SolarWinds to Log4Shell, these attacks exploit the trust we place in third-party code. Here's how to defend against them.

What Are Supply Chain Attacks?

A supply chain attack targets the less-secure elements in your software ecosystem:

  • Compromised dependencies — Malicious code injected into popular npm/PyPI packages
  • Build system attacks — Tampering with CI/CD pipelines
  • Code signing abuse — Stolen certificates used to sign malicious code
  • Typosquatting — Packages with names similar to popular ones
  • Dependency confusion — Exploiting how package managers resolve internal vs. public packages

The Scale of the Problem

  • The average enterprise application uses 200+ open source dependencies
  • 62% of organizations have experienced a supply chain attack
  • Malicious packages on npm, PyPI, and RubyGems increased 300% in 2025
  • Mean time to detect a supply chain breach: 287 days

Defense Strategy

1. Know Your Dependencies (SBOM)

A Software Bill of Materials (SBOM) is your inventory of all software components:

  • Generate SBOMs automatically in CI/CD
  • Use standard formats (CycloneDX, SPDX)
  • Track transitive (indirect) dependencies too
  • Update your SBOM with every release

2. Software Composition Analysis (SCA)

Continuously scan dependencies for vulnerabilities:

  • Integrate SCA tools into CI/CD pipelines (Snyk, Dependabot, Trivy)
  • Block builds with critical/high vulnerabilities
  • Set up alerts for newly discovered CVEs
  • Track license compliance

3. Lock Your Dependencies

  • Use lockfiles (package-lock.json, Pipfile.lock, Cargo.lock)
  • Pin exact versions in production
  • Verify checksums/hashes of downloaded packages
  • Use private registries as a proxy for public packages

4. Verify Package Integrity

  • Check package signatures where available
  • Use Sigstore/cosign for container image verification
  • Verify GPG signatures on critical tools
  • Monitor for unauthorized package maintainer changes

5. Secure Your Build Pipeline

  • Use immutable build environments
  • Implement least privilege for CI/CD service accounts
  • Enable audit logging on all pipeline activities
  • Use ephemeral build agents
  • Sign build artifacts

6. Vendor Assessment

For commercial third-party software:

  • Require vendors to provide SBOMs
  • Assess vendor security practices (SOC 2, ISO 27001)
  • Include security requirements in contracts
  • Monitor vendor breach disclosures

7. Develop an Incident Response Plan

  • Define playbooks for supply chain compromise scenarios
  • Know how to rapidly identify and replace compromised dependencies
  • Maintain an inventory of where each dependency is deployed
  • Practice supply chain breach tabletop exercises

Quick Wins

  1. Enable Dependabot/Renovate — Automated dependency update PRs
  2. Set up npm audit / pip audit in your CI/CD pipeline
  3. Generate your first SBOM — Start with your most critical application
  4. Review npm/PyPI package publishers — Check for recently transferred packages
  5. Enable 2FA on all package registry accounts your team owns

Conclusion

Supply chain security requires a defense-in-depth approach. You can't eliminate third-party dependencies, but you can manage the risk through visibility, verification, and vigilance.

Back to Blog