Supply Chain Vulnerabilities Vulnerability
Description
Supply chain vulnerabilities in software happen when attackers compromise third-party components or services that an application relies on. These can include libraries, frameworks, plugins, APIs, or even entire development environments.
Such vulnerabilities can be introduced at any stage of the software development lifecycle, from coding and testing to deployment. Also, with AI and LLMs in use, there are even more risks, such as from publicly sourced training data and pre-trained models.
Impact
If attackers manipulate external components or dependencies, the application could behave unpredictably, suffer performance issues, or bypass existing security controls. Malicious or poorly maintained plugins and libraries can also expose sensitive data or give attackers unauthorized access.
In September 2025, a supply chain attack compromised over 100 npm packages downloaded billions of times per week. The attack spread malicious code by infecting other projects and republishing them.
Scenarios
Supply chain vulnerabilities can show up in different ways, depending on how an application uses external components. Examples include:
-
Compromised third-party libraries: A widely used open-source library is updated with malicious code that executes when the application runs.
-
Malicious plugins or extensions: An externally developed plugin contains hidden code that steals data or performs unauthorized actions.
-
Poisoned training data for LLMs: An LLM processes external training data that has been manipulated, causing the model to give incorrect outputs or expose sensitive information.
-
Untrusted external services: APIs or services integrated into the application are altered to return harmful data or commands.
Prevention
These steps can help protect applications from supply chain vulnerabilities:
- Keep components up to date: Regularly patch and update all libraries, plugins, and external dependencies in your applications.
- Check third-party components: Review the security of libraries, plugins, and other external components before integrating them, and host critical dependencies in repositories you control.
- Validate training data: Inspect any data used for training or fine-tuning to ensure it’s clean and hasn’t been tampered with.
- Maintain an inventory: Track all components with tools like a Software Bill of Materials (SBOM) to keep visibility across your supply chain.
- Use code signing: Sign external data, models, and components to confirm authenticity and integrity.
- Review supplier access: Regularly audit and control access granted to external contributors or suppliers to maintain a strong security posture.
Testing
Test for supply chain vulnerabilities by verifying the integrity of third-party code, hardware, and services. Validate update mechanisms, enforce strict access controls, and monitor continuously for tampering or unauthorized dependencies.
- OWASP ASVS: 3.6